Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Password Hashing

nobody
nobody October 31, 2018

Please confirm which hashing functions used/available for hashing passwords in databases when using database instead of other LDAP integration.

This link is showing SHA1 - surely this is no longer the case? : https://developer.atlassian.com/server/confluence/password-hash-algorithm/

Answer
Watch
Like Be the first to like this
1878 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 31, 2018

Hi,

The document you've linked notes that Confluence prior to 3.5 (which was many years ago) used a derivative of SHA1-512.

Embedded Crowd (used in Confluence) currently hashes with PBKDF2 and a round length of 10,000. You can read more about the specific implementation here.

Cheers,
Daniel

View More Comments
nobody
nobody October 31, 2018

Which is also using SHA1

Is there nothing there with something suitable such as SHA2?

Like
hari
hari
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 31, 2018

Hi,

We don't use just SHA1 for hashing passwords. The SHA1 mentioned there is the PRF function needed for PBKDF2. We are continuously looking to improve this, but currently do not have immediate plans to change.

Like
nobody
nobody November 1, 2018

So you understand you are using broken hash algorithms but do not have immediate plans to change?

Like
hari
hari
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 1, 2018

Hi, 

Like I mentioned before we are not using plain SHA1 for hashing passwords (for which collision attacks were identified). The SHA1 usage in PBKDF2 is actually a HMAC-SHA1 which is not vulnerable to the same collision attacks as SHA1 hashing algorithm.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events