From owner-freebsd-current@FreeBSD.ORG Fri Feb 28 15:08:07 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93B95795 for ; Fri, 28 Feb 2014 15:08:07 +0000 (UTC) Received: from valery.hibma.org (unknown [IPv6:2a02:2308::216:3eff:fe79:3a6c]) by mx1.freebsd.org (Postfix) with ESMTP id 55A1A1580 for ; Fri, 28 Feb 2014 15:08:07 +0000 (UTC) Received: from [192.168.11.58] (mail.racketcentrekerschoten.nl [95.97.83.42]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by valery.hibma.org (Postfix) with ESMTPSA id 2EE9567ED99; Fri, 28 Feb 2014 16:07:58 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_ED872235-033F-4D87-9EB9-0E265BE5DC3F"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms From: Nick Hibma In-Reply-To: <530FE2E9.5010902@allanjude.com> Date: Fri, 28 Feb 2014 16:07:59 +0100 Message-Id: References: <530FE2E9.5010902@allanjude.com> To: Allan Jude X-Mailer: Apple Mail (2.1874) Cc: FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Feb 2014 15:08:07 -0000 --Apple-Mail=_ED872235-033F-4D87-9EB9-0E265BE5DC3F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 28 Feb 2014, at 02:14, Allan Jude wrote: > With r262501 > (http://svnweb.freebsd.org/base?view=3Drevision&revision=3D262501) = importing > the upgraded bcrypt from OpenBSD and eventually changing the default > identifier for bcrypt to $2b$ it reminded me of a feature that is = often > seen in Forum software and other web apps. > =85 > This would make it much easier to transition a very large userbase = from > md5crypt to bcrypt or sha512crypt, rather than expiring the passwords = or > something. The sleeping accounts won=92t be upgraded, so be left at the =91insecure=92= algorithm. I do see the point of automatic updating of password hashes = for a newer algorithm, but =91not needing expiry=92 isn=92t the right = argument. It is actually an argument opposing your change! What you probably meant was: don=92t hassle users with the change in = algorithm, possibly only the users that haven=92t ever logged in after 6 = months. Nick --Apple-Mail=_ED872235-033F-4D87-9EB9-0E265BE5DC3F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlMQpk8ACgkQBxE2H56uaYlYtACgirno1v2hTesWM6VOoUjZsyt3 oQcAn37ID/VG+3z4sO3hk1RCZCGM4Qo1 =uryC -----END PGP SIGNATURE----- --Apple-Mail=_ED872235-033F-4D87-9EB9-0E265BE5DC3F--