Is there any official documentation with this information?
The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
Algorithm used to Encrypt Password when "Hashed" is selected
MVP
Certified Developer
- 558
- 6401
- 7/29/2011
- United Kingdom
yadm_rs wrote:
It's SHA1. You can see the details of the implementation in the EncryptionService source.
Is there any official documentation with this information?
The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
It's SHA1. You can see the details of the implementation in the EncryptionService source.
- 1390
- 11685
- 8/10/2012
- United States
petemitch wrote:
If that's the case, I'm guessing that 3.80 or the next version will use SHA256 because everybody, everywhere is dropping support for SHA1...just too hackable.
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
Is there any official documentation with this information?
The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
It's SHA1. You can see the details of the implementation in the EncryptionService source.
The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
It's SHA1. You can see the details of the implementation in the EncryptionService source.
If that's the case, I'm guessing that 3.80 or the next version will use SHA256 because everybody, everywhere is dropping support for SHA1...just too hackable.
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
