On 2014-02-28 10:07, Nick Hibma wrote: > > On 28 Feb 2014, at 02:14, Allan Jude <freebsd_at_allanjude.com> wrote: > >> With r262501 >> (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing >> the upgraded bcrypt from OpenBSD and eventually changing the default >> identifier for bcrypt to $2b$ it reminded me of a feature that is often >> seen in Forum software and other web apps. >> … >> This would make it much easier to transition a very large userbase from >> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or >> something. > > The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ algorithm. I do see the point of automatic updating of password hashes for a newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is actually an argument opposing your change! > > What you probably meant was: don’t hassle users with the change in algorithm, possibly only the users that haven’t ever logged in after 6 months. > > Nick > The algorithm upgrade would upgrade everyone, including people who changed their password just 5 days ago. If an account is dormant, and never logs in, even a password expirey wouldn't force a password change, because the user never logs in. To better rephrase my point, the goal is to avoid having to adjust every users password expirey to yesterday, in order to force them all to set new passwords. -- Allan Jude
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:47 UTC