Date: Fri, 28 Feb 2014 12:16:45 -0500 From: Allan Jude <freebsd@allanjude.com> To: Nick Hibma <nick@van-laarhoven.org> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: Feature Proposal: Transparent upgrade of crypt() algorithms Message-ID: <5310C47D.3030708@allanjude.com> In-Reply-To: <C674BF4F-46A9-497C-BB0D-41E3AE2E0733@van-laarhoven.org> References: <530FE2E9.5010902@allanjude.com> <C674BF4F-46A9-497C-BB0D-41E3AE2E0733@van-laarhoven.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7KCxMgUm14ALDugDVWiX6br1ojPL6DqRe Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-02-28 10:07, Nick Hibma wrote: >=20 > On 28 Feb 2014, at 02:14, Allan Jude <freebsd@allanjude.com> wrote: >=20 >> With r262501 >> (http://svnweb.freebsd.org/base?view=3Drevision&revision=3D262501) imp= orting >> the upgraded bcrypt from OpenBSD and eventually changing the default >> identifier for bcrypt to $2b$ it reminded me of a feature that is ofte= n >> seen in Forum software and other web apps. >> =85 >> This would make it much easier to transition a very large userbase fro= m >> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords = or >> something. >=20 > The sleeping accounts won=92t be upgraded, so be left at the =91insecur= e=92 algorithm. I do see the point of automatic updating of password hash= es for a newer algorithm, but =91not needing expiry=92 isn=92t the right = argument. It is actually an argument opposing your change! >=20 > What you probably meant was: don=92t hassle users with the change in al= gorithm, possibly only the users that haven=92t ever logged in after 6 mo= nths. >=20 > Nick >=20 The algorithm upgrade would upgrade everyone, including people who changed their password just 5 days ago. If an account is dormant, and never logs in, even a password expirey wouldn't force a password change, because the user never logs in. To better rephrase my point, the goal is to avoid having to adjust every users password expirey to yesterday, in order to force them all to set new passwords. --=20 Allan Jude --7KCxMgUm14ALDugDVWiX6br1ojPL6DqRe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTEMSAAAoJEJrBFpNRJZKfKYYQAJ6YQFuiG+Ag5y/yGf4af4wd pn/icVAaDwke4ZTdA3r5+l7/0GU9naqoYgkpQcwh/czEd0dijpGvXlS0xFJ5Iewb 63I2fCMuy7qGK5ZO8NZZ3tCqsnZH7SsYsEYlB2LZpNZgK+YRe4KXOPBog9s3VxG8 h0cEcN+MvAsvaqtfym6lST+wjdw0PcrEOQdGwroR2ZhVHTWpysZnfCQx6nmJ+D2d UL2lFY2kziJxugWSOrR7kGcX4HE1QRgmZRitvlOeB8X0ZemKtTRop/7ldNm6w3rY LT7BcGvKJjtMRotD4SMliPwZ6DXE6qq4L7kzDMcD3AwjoSy/i5L48/UPsn10Hb0W 0rAeNsM4RPuJwUpERDnJkDlNN9zDY58wPdcjq0WV/qCU0DbrMmMCqzwkwDZ4eK1+ X7QPO9rDut78IBfWj2kfWdA9F74rqbHRHpvINZFYXj4sju6RIb+4qd+pXRxOpr0Q Jev/EkuqaOccPYYknJEXjQhI3yXnSorl91V1f3Xp9t002OcbkLzMfeUbF9FpZvoO HNDWHxSJNz22x7np4a2dc0bwb5g3hPC5Lc+p/gfBbhOCNRmy09SlWpD+koZ2DB4a +Qu3jzlLaP022kCDcKpMzYG4ZvP1gFwSJYC+l5RyQBVeLH9B69k+OdT3p51lRHM3 MfMyufOp1agno6kzvIxe =pjjg -----END PGP SIGNATURE----- --7KCxMgUm14ALDugDVWiX6br1ojPL6DqRe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5310C47D.3030708>