Forum OpenACS Q&A: Re: Usage of SHA-1 in OpenACS

Posted by Brian Fenton on
Hi Gustaf and Frank

many thanks for the responses. Yes, your suspicions are correct - this is a concern of one client of ours, who are keen to have an answer.

My takeaway here is that the current usage of SHA-1 for password encryption in OpenACS may be a potential issue, but that there are achievable solutions (involving, as you say, some work).

Apart from that, if I consider OpenACS version 5.91 in its entirety, I can count approx 30 calls to ns_sha1. Not all of these are used for security, I imagine, but do we need to be concerned about any of those 30 calls?

thanks for the help!