Conversation

Notices

1. chromatic

   Upgrading users in place from SHA-1 to Bcrypt passwords was more work than I thought.

   about 4 months ago from web
   • Christopher Allan Webber

     ... is that possible without a rainbow table?

     about 4 months ago
   • Remote profile options...
     Psychedelic Squid Christopher Allan Webber

     If you transition people as they log in, yes. Basically, you check their attempted password against the old system, then on success ..

     about 4 months ago
   • Remote profile options...
     Psychedelic Squid Christopher Allan Webber

     .. store the new hash (possible since you briefly have the cleartext password again), and a flag to indicate the old hash shouldn’t be used.

     about 4 months ago
   • Remote profile options...
     Psychedelic Squid Christopher Allan Webber

     Well, more precisely, a flag saying the old hashing method shouldn’t be used. No reason to keep the old hash itself.

     about 4 months ago
   • Christopher Allan Webber Psychedelic Squid

     Oh, that makes sense! And yeah, that would require complexity/hacks, but logical solution

     about 4 months ago
   • chromatic Christopher Allan Webber

     Sure; when users log in successfully, rehash their incoming passwords and update them in place.

     about 4 months ago