col-panic
commented
6 years ago For reference: https://redmine.medelexis.ch/issues/11252
Open rgwch opened 6 years ago
col-panic
commented
6 years ago For reference: https://redmine.medelexis.ch/issues/11252
While trying to understand the new user concept I find something odd with https://github.com/elexis/elexis-3-core/blob/master/ch.rgw.utility/src/ch/rgw/tools/PasswordEncryptionService.java
Sure, one could honestly argue why a password encryption would be so necessary in a pure inhouse database solution, But since we do it...
The referenced article http://java.dzone.com/articles/secure-password-storage-lots states that the NIST recommends SHA1 as hashing algorithm for the HMAC. Well, that was published before Snowden revealed that the NIST was influenced by NSA and sometimes propagated algorithms with a flaw... Today, actually since 2010, SHA1 is as broken as MD5...
So, you'd better use SHA512 for the hmac if you think that Elexis should have a hacker-safe password storage. (which becomes important if doctors start to expose their database to the internet for external access)
It doesn't matter to me since I use a VPN anyway. So I will not propose a patch for that myself.