Feature Proposal: Transparent upgrade of crypt() algorithms
Nick Hibma
nick at van-laarhoven.org
Fri Feb 28 15:08:07 UTC 2014
On 28 Feb 2014, at 02:14, Allan Jude <freebsd at allanjude.com> wrote:
> With r262501
> (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing
> the upgraded bcrypt from OpenBSD and eventually changing the default
> identifier for bcrypt to $2b$ it reminded me of a feature that is often
> seen in Forum software and other web apps.
> …
> This would make it much easier to transition a very large userbase from
> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or
> something.
The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ algorithm. I do see the point of automatic updating of password hashes for a newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is actually an argument opposing your change!
What you probably meant was: don’t hassle users with the change in algorithm, possibly only the users that haven’t ever logged in after 6 months.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140228/eccbe012/attachment.sig>
More information about the freebsd-current
mailing list