View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005636||OXID eShop (all versions)||4.04. Security||public||2014-02-04 12:04||2014-10-27 15:43|
|Status||resolved||Resolution||unable to reproduce|
|Product Version||4.8.3 / 5.1.3|
|Target Version||4.8.5 / 5.1.5||Fixed in Version|
|Summary||0005636: Use alternative password encryption, md5 is deprecated|
|Description||In a security audit of one of our customers the OXID password encryption using salt and md5() was considered far too weak.|
There are too many md5 cracking tools available today, so basically, an attacker could reverse engineer stolen user passwords from the oxuser table within minutes.
|Additional Information||A preferred solution would be to use bcrypt or SHA1 instead of MD5.|
See also user voice:
|Tags||No tags attached.|
||waiting for the PO decision.|
||as far as i can see, this bug can be (finally) closed, its refactored since 4.9/5.2|
Reminder sent to: henrik.steffen
Thank you very much for submitting this feature request. We implemented it since version 4.9/5.2. Since version 4.9/5.2 we are using SHA2 instead of MD5.