On 07/26/2015 10:36 PM, Jim Starkey wrote: > The bottom line is this: If you are going to change the password hash, > you are going to invalidate all existing passwords. But rather than > start over with an already flawed architecture, punt on storing > passwords at all and go exclusively with SRP.
When I've said that SHA1 hashes are stored in security database, I've meant exactly SRP verifiers. SHA1 is used for calculation of SRP verifier, and this is the only result of SHA1 stored in the database. BTW, except invalidation of all existing passwords this step also invalidates all old clients, including Java and C# clients, not using fbclient library. And it's hard to say what is worse. ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
