I need password encryption in the database. about act_id_user PWD_ .
I need you to tell me what to do 。
thanks!
I need password encryption in the database. about act_id_user PWD_ .
I need you to tell me what to do 。
thanks!
Hi,
The identity tables in Flowable are just a simple implementation, but I agree that the plain text passwords are not great. There’s already an open issue for this and we need to implement the hashing logic for this.
Best regards,
Tijs
Is this implementation already in the plan?
It looks nice.
Wich kind of encryption do you plan to use an MD5 hash?
Maybe I could help to develop this feature.
Ill wait for yoyr comments.
Best regards
A MD5 hash would be fine indeed.
If you can help with the implementation, that’s great.
Best regards,
Tijs
Hi,
I suggest that when this is implemented it should not be a MD5 hash. This is not a recommended way to do this anymore.
It is more usual to use an algorithm suited to hashing passwords like bcrypt, scrypt or PBKDF2 with a salt which is also saved in the database. This is then hard to bruteforce if the database is compromised.
I Think if this is implemented it should be done in a way that is considered good by todays standards.
References:
https://crackstation.net/hashing-security.htm#faq
https://www.owasp.org/index.php/Hashing_Java
http://security.blogoverflow.com/2013/09/about-secure-password-hashing/
/Paul
I suggest that when this is implemented it should not be a MD5 hash. This is not a recommended way to do this anymore.
I can second this. MD5 is not secure anymore.
Is there already an issue for this topic?
Yes this issue is already created:
https://github.com/flowable/flowable-engine/issues/354
Best regards,
Tijs
Currently I’m working on this issue. Instead of implement password hashing, I decided to reuse existing library. So far I’ve added support for Spring Security, Apache Common Codec, Jasypt and jBrypt
Let me know if I miss out any other library