This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Passwords Stored as SHA-1 in Unencrypted Backups

Going through the configuration backup process for the Sophos Email Appliance and came across the following:

  • Only backup option is FTP
  • Does not require username and password
  • Backup files are not encrypted
  • Admin/Helpdesk passwords are stored in raw SHA-1

As a security company it would seem that this process would be a little more hardened...or at least follow the OWASP standards for protecting stored credentials...https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md

 

Has anyone else been concerned with this process?



This thread was automatically locked due to age.
  • Hello  

    You can download the backup to a local machine as well by clicking the Download button in the backup option. Regarding encrypted backup and password encrypted in SHA-1, I'll get that checked and see what are the developments in that direction.

    Regards

    Jaydeep