I guess I didn't make myself clear. I wrote a routine that salted and hashed all of the plain text passwords that were in the system. It was a simple routine that only needed to run once. There was no inconvenience to the users, as their passwords didn't change, they just were secure from anyone else accessing them.
I guess the question becomes, is, can you take the site off line for an 20 minutes to run the routine and update your login security to be based on salts and hashes? Cheers, Rob On Tue, Mar 5, 2013 at 1:29 PM, Roger Austin <[email protected]> wrote: > > On 3/5/2013 7:15 AM, Torrent Girl wrote: > > > > Hello all > > > > I am implementing salt/password hash to an application that is being > redeveloped. > > > > Adding salt/hash to newly created accounts is going well but of course > there are hundreds of existing accounts. > > > > What would be the best practice for adding salt/hash to all of the > existing records? > > A field for PasswordExpiration or MustResetPassword in the database is > helpful for this and other things. You can check on login to see if it > is set and force a password change. I've used both in different > situations. That way, you can force the issue once you have your > salt-hash function set up. > > -- > LinkedIn: http://www.linkedin.com/pub/8/a4/60 > Twitter: http://twitter.com/RogerTheGeek > Google+: https://plus.google.com/117357905892731200369 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354832 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
