Apache.org JIRA compromise

Reed Loden reed at reedloden.com
Wed Apr 14 15:49:14 UTC 2010

On Wed, 14 Apr 2010 10:15:41 -0400
Guy Pyrzak <guy.pyrzak at gmail.com> wrote:

> Newer versions of Bugzilla use an MD5-hash with salt, I believe. So they
> might have been even safer if they had upgraded.

No, SHA-256 hash with per-user unique salts is what current Bugzilla
trunk (since 3.4, iirc) uses. MD5 hash is bad and should be avoided at
all costs. We could technically swap to SHA-512, but I'm not sure it's
worth it for what little extra "protection" would be gained (vs. the
cost of computing the hash).


Reed Loden - <reed at reedloden.com>

dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org

More information about the developers mailing list