View Issue Details

IDProjectCategoryView StatusLast Update
0005636OXID eShop (all versions)4.04. Securitypublic2014-10-27 15:43
Reporterhenrik.steffen 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionunable to reproduce 
PlatformallOSallOS Versionall
Product Version4.8.3 / 5.1.3 
Target Version4.8.5 / 5.1.5Fixed in Version 
Summary0005636: Use alternative password encryption, md5 is deprecated
DescriptionIn a security audit of one of our customers the OXID password encryption using salt and md5() was considered far too weak.

There are too many md5 cracking tools available today, so basically, an attacker could reverse engineer stolen user passwords from the oxuser table within minutes.

Additional InformationA preferred solution would be to use bcrypt or SHA1 instead of MD5.

See also user voice:
http://oxid.uservoice.com/forums/31940-feature-requests/suggestions/5362084-use-bcrypt-instead-of-md5-for-password-hashes
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
MySQL Versionany

Relationships

related to 0004173 resolvedjurate.baseviciene Remove password-generation/hashing from database to php 

Activities

svetlana

2014-03-28 10:04

reporter   ~0009744

waiting for the PO decision.

FibreFoX

2014-10-22 16:11

reporter   ~0010263

as far as i can see, this bug can be (finally) closed, its refactored since 4.9/5.2

jurate.baseviciene

2014-10-27 15:42

reporter   ~0010279

Reminder sent to: henrik.steffen

Hi,
Thank you very much for submitting this feature request. We implemented it since version 4.9/5.2. Since version 4.9/5.2 we are using SHA2 instead of MD5.


Best regards,
Jurate