Date: Fri, 28 Feb 2014 16:14:03 -0500 From: John Baldwin <jhb@freebsd.org> To: freebsd-current@freebsd.org Cc: Nick Hibma <nick@van-laarhoven.org> Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <201402281614.03713.jhb@freebsd.org> In-Reply-To: <5310C47D.3030708@allanjude.com> References: <530FE2E9.5010902@allanjude.com> <C674BF4F-46A9-497C-BB0D-41E3AE2E0733@van-laarhoven.org> <5310C47D.3030708@allanjude.com>
index | next in thread | previous in thread | raw e-mail
On Friday, February 28, 2014 12:16:45 pm Allan Jude wrote: > On 2014-02-28 10:07, Nick Hibma wrote: > > > > On 28 Feb 2014, at 02:14, Allan Jude <freebsd@allanjude.com> wrote: > > > >> With r262501 > >> (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing > >> the upgraded bcrypt from OpenBSD and eventually changing the default > >> identifier for bcrypt to $2b$ it reminded me of a feature that is often > >> seen in Forum software and other web apps. > >> … > >> This would make it much easier to transition a very large userbase from > >> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or > >> something. > > > > The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ algorithm. I do see the point of automatic updating of password hashes for a newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is actually an argument opposing your change! > > > > What you probably meant was: don’t hassle users with the change in algorithm, possibly only the users that haven’t ever logged in after 6 months. > > > > Nick > > > > The algorithm upgrade would upgrade everyone, including people who > changed their password just 5 days ago. If an account is dormant, and > never logs in, even a password expirey wouldn't force a password change, > because the user never logs in. > > To better rephrase my point, the goal is to avoid having to adjust every > users password expirey to yesterday, in order to force them all to set > new passwords. I think Nick's point is you do want passwords using the "old" hash to expire are some point if they haven't been auto-converted. -- John Baldwinhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402281614.03713.jhb>