Date: Fri, 28 Feb 2014 16:07:59 +0100 From: Nick Hibma <nick@van-laarhoven.org> To: Allan Jude <freebsd@allanjude.com> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <C674BF4F-46A9-497C-BB0D-41E3AE2E0733@van-laarhoven.org> In-Reply-To: <530FE2E9.5010902@allanjude.com> References: <530FE2E9.5010902@allanjude.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 28 Feb 2014, at 02:14, Allan Jude <freebsd@allanjude.com> wrote: > With r262501 > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing > the upgraded bcrypt from OpenBSD and eventually changing the default > identifier for bcrypt to $2b$ it reminded me of a feature that is often > seen in Forum software and other web apps. > … > This would make it much easier to transition a very large userbase from > md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or > something. The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ algorithm. I do see the point of automatic updating of password hashes for a newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is actually an argument opposing your change! What you probably meant was: don’t hassle users with the change in algorithm, possibly only the users that haven’t ever logged in after 6 months. Nick [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlMQpk8ACgkQBxE2H56uaYlYtACgirno1v2hTesWM6VOoUjZsyt3 oQcAn37ID/VG+3z4sO3hk1RCZCGM4Qo1 =uryC -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C674BF4F-46A9-497C-BB0D-41E3AE2E0733>