Apache.org JIRA compromise
Guy Pyrzak
guy.pyrzak at gmail.com
Wed Apr 14 17:58:28 UTC 2010
Ah, did we recently upgrade from the MD5 then? I just know we changed our
password hashing method recently.
-Guy
On Wed, Apr 14, 2010 at 8:49 AM, Reed Loden <reed at reedloden.com> wrote:
> On Wed, 14 Apr 2010 10:15:41 -0400
> Guy Pyrzak <guy.pyrzak at gmail.com> wrote:
>
> > Newer versions of Bugzilla use an MD5-hash with salt, I believe. So they
> > might have been even safer if they had upgraded.
>
> No, SHA-256 hash with per-user unique salts is what current Bugzilla
> trunk (since 3.4, iirc) uses. MD5 hash is bad and should be avoided at
> all costs. We could technically swap to SHA-512, but I'm not sure it's
> worth it for what little extra "protection" would be gained (vs. the
> cost of computing the hash).
>
> ~reed
>
> --
> Reed Loden - <reed at reedloden.com>
>
> _______________________________________________
> dev-apps-bugzilla mailing list
> dev-apps-bugzilla at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-bugzilla
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=guy.pyrzak@gmail.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20100414/a7fbc7bc/attachment.html>
More information about the developers
mailing list