Skip to main content

Improve Password Hashing

Goal: Security

Developer: Carlos Ruiz Heng Sin

Description:

Currently password hashing is using SHA-512 and salt is generated using SHA1PRNG random generator and 64 bytes.

This ticket make the following changes to improve the security of password hashing in iDempiere:

  • Generate salt using the DRBG algorithm and 256 bit strength.
  • Add support for PBKDF2 and Argon2 hashing algorithm.

Changes:

  1. Added USER_PASSWORD_HASH_ALGORITHM System Configurator entry. Supported values are SHA-512, PBKDF2 and Argon2. User password hash algorithm

USER_PASSWORD_HASH_ALGORITHM

  1. Added Password Hash Algorithm parameter to the Convert passwords to hashes process. Convert passwords to hash

Convert password to hashes process

Migration of existing SHA-512 hashes: <p>

  • Change USER_PASSWORD_HASH_ALGORITHM System Configurator entry to PBKDF2 or Argon2, reset cache.
  • User's password will be rehashed using the newly set algorithm when they login next time.

Technical Info: IDEMPIERE-6712

Source: Wiki