Apache.org JIRA compromise

Guy Pyrzak guy.pyrzak at gmail.com
Wed Apr 14 14:15:41 UTC 2010

Newer versions of Bugzilla use an MD5-hash with salt, I believe. So they
might have been even safer if they had upgraded.


On Wed, Apr 14, 2010 at 6:18 AM, Gervase Markham <gerv at mozilla.org> wrote:

> We rock:
> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> "JIRA and Confluence both use a SHA-512 hash, but without a random salt. We
> believe the risk to simple passwords based on dictionary words is quite
> high, and most users should rotate their passwords.
> Bugzilla uses a SHA-256, including a random salt. The risk for most users
> is low to moderate, since pre-built password dictionaries are not effective,
> but we recommend users should still remove these passwords from use."
> Gerv
> _______________________________________________
> dev-apps-bugzilla mailing list
> dev-apps-bugzilla at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-bugzilla
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=guy.pyrzak@gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20100414/7d961883/attachment.html>

More information about the developers mailing list