Apache.org JIRA compromise
reed at reedloden.com
Wed Apr 14 15:49:14 UTC 2010
On Wed, 14 Apr 2010 10:15:41 -0400
Guy Pyrzak <guy.pyrzak at gmail.com> wrote:
> Newer versions of Bugzilla use an MD5-hash with salt, I believe. So they
> might have been even safer if they had upgraded.
No, SHA-256 hash with per-user unique salts is what current Bugzilla
trunk (since 3.4, iirc) uses. MD5 hash is bad and should be avoided at
all costs. We could technically swap to SHA-512, but I'm not sure it's
worth it for what little extra "protection" would be gained (vs. the
cost of computing the hash).
Reed Loden - <reed at reedloden.com>
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
More information about the developers