Request for Improved Password Encryption in EspoCRM

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • partomas
    Active Community Member
    • Sep 2018
    • 331

    Request for Improved Password Encryption in EspoCRM

    Dear EspoCRM Team,

    In accordance with ISO/IEC 27001, NIS2, and modern cybersecurity best practices, encryption is a fundamental pillar of data security. ̶T̶h̶e̶ ̶c̶u̶r̶r̶e̶n̶t̶l̶y̶ ̶i̶m̶p̶l̶e̶m̶e̶n̶t̶e̶d̶ ̶M̶D̶5̶ ̶h̶a̶s̶h̶i̶n̶g̶ ̶f̶u̶n̶c̶t̶i̶o̶n̶ ̶i̶n̶ ̶E̶s̶p̶o̶C̶R̶M̶ ̶i̶s̶ ̶w̶i̶d̶e̶l̶y̶ ̶c̶o̶n̶s̶i̶d̶e̶r̶e̶d̶ ̶o̶u̶t̶d̶a̶t̶e̶d̶ ̶a̶n̶d̶ ̶i̶n̶s̶e̶c̶u̶r̶e̶.̶ As such, I strongly recommend replacing it with more robust algorithms to align with contemporary standards.

    For password hashing, bcrypt is the industry standard due to its computational cost and built-in salting mechanism, which greatly enhances resistance to brute force and rainbow table attacks. Ideally, bcrypt should be used in conjunction with SHA-512 for hashing, ensuring maximum security.

    This change would significantly strengthen EspoCRM's security posture and demonstrate a commitment to safeguarding user data in line with modern practices.

    Thank you for your attention to this important matter. I look forward to your updates.

    Best regards,
    Tomas
    Last edited by yuri; 12-21-2024, 10:13 AM. Reason: Stricken through the misleading information.
  • yuri
    Member
    • Mar 2014
    • 8546

    #2
    Hi Tomas,

    > The currently implemented MD5 hashing function in EspoCRM is widely considered outdated and insecure.

    This is not true that Espo uses MD5 for password hashing. It was SHA-512 till v9.0.

    Bcrypt password hashing is already implemented for v9.0.
    If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

    Comment

    Working...