Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Password Hashing

nobody
nobody October 31, 2018

Please confirm which hashing functions used/available for hashing passwords in databases when using database instead of other LDAP integration.

This link is showing SHA1 - surely this is no longer the case? : https://developer.atlassian.com/server/confluence/password-hash-algorithm/

Answer
Watch
Like Be the first to like this
1908 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 31, 2018

Hi,

The document you've linked notes that Confluence prior to 3.5 (which was many years ago) used a derivative of SHA1-512.

Embedded Crowd (used in Confluence) currently hashes with PBKDF2 and a round length of 10,000. You can read more about the specific implementation here.

Cheers,
Daniel

View More Comments
nobody
nobody October 31, 2018

Which is also using SHA1

Is there nothing there with something suitable such as SHA2?

Like
hari
hari
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 31, 2018

Hi,

We don't use just SHA1 for hashing passwords. The SHA1 mentioned there is the PRF function needed for PBKDF2. We are continuously looking to improve this, but currently do not have immediate plans to change.

Like
nobody
nobody November 1, 2018 edited

So you understand you are using broken hash algorithms but do not have immediate plans to change?

Like
hari
hari
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 1, 2018 edited

Hi, 

Like I mentioned before we are not using plain SHA1 for hashing passwords (for which collision attacks were identified). The SHA1 usage in PBKDF2 is actually a HMAC-SHA1 which is not vulnerable to the same collision attacks as SHA1 hashing algorithm.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
atlassian, atlassian government cloud, fedramp, webinar, register for webinar, atlassian cloud webinar, fedramp moderate offering, work faster with cloud

Unlocking the future with Atlassian Government Cloud ☁️

Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.

Register Now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.