Apache.org JIRA compromise
guy.pyrzak at gmail.com
Wed Apr 14 17:58:28 UTC 2010
Ah, did we recently upgrade from the MD5 then? I just know we changed our
password hashing method recently.
On Wed, Apr 14, 2010 at 8:49 AM, Reed Loden <reed at reedloden.com> wrote:
> On Wed, 14 Apr 2010 10:15:41 -0400
> Guy Pyrzak <guy.pyrzak at gmail.com> wrote:
> > Newer versions of Bugzilla use an MD5-hash with salt, I believe. So they
> > might have been even safer if they had upgraded.
> No, SHA-256 hash with per-user unique salts is what current Bugzilla
> trunk (since 3.4, iirc) uses. MD5 hash is bad and should be avoided at
> all costs. We could technically swap to SHA-512, but I'm not sure it's
> worth it for what little extra "protection" would be gained (vs. the
> cost of computing the hash).
> Reed Loden - <reed at reedloden.com>
> dev-apps-bugzilla mailing list
> dev-apps-bugzilla at lists.mozilla.org
> To view or change your list settings, click here:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the developers