View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005636 | OXID eShop (all versions) | 4.04. Security | public | 2014-02-04 12:04 | 2014-10-27 15:43 |
| Reporter | henrik.steffen | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | unable to reproduce | ||
| Platform | all | OS | all | OS Version | all |
| Product Version | 4.8.3 / 5.1.3 | ||||
| Target Version | 4.8.5 / 5.1.5 | ||||
| Summary | 0005636: Use alternative password encryption, md5 is deprecated | ||||
| Description | In a security audit of one of our customers the OXID password encryption using salt and md5() was considered far too weak. There are too many md5 cracking tools available today, so basically, an attacker could reverse engineer stolen user passwords from the oxuser table within minutes. | ||||
| Additional Information | A preferred solution would be to use bcrypt or SHA1 instead of MD5. See also user voice: http://oxid.uservoice.com/forums/31940-feature-requests/suggestions/5362084-use-bcrypt-instead-of-md5-for-password-hashes | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0004173 | resolved | jurate.baseviciene | Remove password-generation/hashing from database to php |
|
|
waiting for the PO decision. |
|
|
as far as i can see, this bug can be (finally) closed, its refactored since 4.9/5.2 |
|
|
Reminder sent to: henrik.steffen Hi, Thank you very much for submitting this feature request. We implemented it since version 4.9/5.2. Since version 4.9/5.2 we are using SHA2 instead of MD5. Best regards, Jurate |
