Forum OpenACS Q&A: Re: Usage of SHA-1 in OpenACS
... SHA-1 for password encryption in OpenACSThe passwords are not encrypted with SHA1, just hashes of the passwords are saved - but also not in all OpenACS installations. Many large OpenACS sites do not store passwords at all (our university is using the OpenACS based LEARN environment Kerberos authentication) - so there is absolutely no thread on this. So, one cannot deduce a security threat by there mere usage of sha1.
Notice that the password hashes never leave the system on regular use, so the attacker has to get it. When the hash is saved in the DB, an attacker needs access to these tables (via system intrusion, or SQI, ...) to attack the hashes. Therefore security pretty much depends on the site security. There is a security thread, when e,g. arbitrary users get access to these database tables, ... but then, one is already in big troubles, so the hash is probably not the biggest concern. One has to be careful, when old disks are replaced, or etc. So, it is certainly better to use modern password suited hashes. Using sha2 or sha3 is no real improvement.
If you are using a version of OpenACS older than 5.9.1 then there are much more things to worry about than using sha1. The biggest thread are usually site-specific packages, which were developed many years ago, at a time, where people are primarily concerned about functionality, and not about security. My recommendation is to use tools like Acunetix to check the web security in a first step. We use on every release step in LEARN.