On 2014-02-28 10:07, Nick Hibma wrote:
> On 28 Feb 2014, at 02:14, Allan Jude <free...@allanjude.com> wrote:
>> With r262501
>> (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing
>> the upgraded bcrypt from OpenBSD and eventually changing the default
>> identifier for bcrypt to $2b$ it reminded me of a feature that is often
>> seen in Forum software and other web apps.
>> …
>> This would make it much easier to transition a very large userbase from
>> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or
>> something.
> The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ 
> algorithm. I do see the point of automatic updating of password hashes for a 
> newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is 
> actually an argument opposing your change!
> What you probably meant was: don’t hassle users with the change in algorithm, 
> possibly only the users that haven’t ever logged in after 6 months.
> Nick

The algorithm upgrade would upgrade everyone, including people who
changed their password just 5 days ago. If an account is dormant, and
never logs in, even a password expirey wouldn't force a password change,
because the user never logs in.

To better rephrase my point, the goal is to avoid having to adjust every
users password expirey to yesterday, in order to force them all to set
new passwords.

Allan Jude

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to