Password Hash
Contents
- 1 Status
- 2 Contributors
- 3 Overview
- 4 Purpose
- 5 References
- 6 Design Considerations
- 7 Glossary
- 8 Functional Requirements
- 9 Acceptance criteria
- 10 QA and test cases
- 11 Development infrastructure
- 12 Technical Requirements
- 13 Data Requirements
- 14 Non-Functional Requirements
- 15 Open Discussion Items
- 16 Closed Discussion Items
Status
in production use
Contributors
Adaxa Pty Ltd (Paul Bowden)
Overview
from ... http://sourceforge.net/p/adempiere/contributions/212/
User passwords should be stored in a non-recoverable form in case the database is compromised:
http://www.h-online.com/security/features/Storing-passwords-in-uncrackable-form-1255576.html
Adaxa has implemented password hashing based on the recommendations in
https://www.owasp.org/index.php/Hashing_Java
using a random salt and hashing with 1000 rounds of the SHA-512 algorithm.
Pushed to contribution_adaxa
http://adempiere.hg.sourceforge.net/hgweb/adempiere/contribution_adaxa/rev/6d9090d8a9f6
Testing and comments welcomed.
Notes:
1) added column "salt" to ad_user
2) increased length of ad_user.password to 1024 (see 5)
3) added/changed passwords will automatically be saved in hashed form
4) code will still authenticate plain-text/encrypted passwords
5) if password column is encrypted then stored hashes will be encrypted (redundant but the easiest way to achieve backwards compatibility)
6) Added process "Hash Passwords" to convert all existing user passwords -- backup first!