Apache.org JIRA compromise

Gervase Markham gerv at mozilla.org
Wed Apr 14 10:18:35 UTC 2010

We rock:

"JIRA and Confluence both use a SHA-512 hash, but without a random salt. 
We believe the risk to simple passwords based on dictionary words is 
quite high, and most users should rotate their passwords.

Bugzilla uses a SHA-256, including a random salt. The risk for most 
users is low to moderate, since pre-built password dictionaries are not 
effective, but we recommend users should still remove these passwords 
from use."

dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org

More information about the developers mailing list