On Friday, February 28, 2014 12:16:45 pm Allan Jude wrote:
> On 2014-02-28 10:07, Nick Hibma wrote:
> > 
> > On 28 Feb 2014, at 02:14, Allan Jude <free...@allanjude.com> wrote:
> > 
> >> With r262501
> >> (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing
> >> the upgraded bcrypt from OpenBSD and eventually changing the default
> >> identifier for bcrypt to $2b$ it reminded me of a feature that is often
> >> seen in Forum software and other web apps.
> >> …
> >> This would make it much easier to transition a very large userbase from
> >> md5crypt to bcrypt or sha512crypt, rather than expiring the passwords or
> >> something.
> > 
> > The sleeping accounts won’t be upgraded, so be left at the ‘insecure’ 
algorithm. I do see the point of automatic updating of password hashes for a 
newer algorithm, but ‘not needing expiry’ isn’t the right argument. It is 
actually an argument opposing your change!
> > 
> > What you probably meant was: don’t hassle users with the change in 
algorithm, possibly only the users that haven’t ever logged in after 6 months.
> > 
> > Nick
> > 
> The algorithm upgrade would upgrade everyone, including people who
> changed their password just 5 days ago. If an account is dormant, and
> never logs in, even a password expirey wouldn't force a password change,
> because the user never logs in.
> To better rephrase my point, the goal is to avoid having to adjust every
> users password expirey to yesterday, in order to force them all to set
> new passwords.

I think Nick's point is you do want passwords using the "old" hash to expire
are some point if they haven't been auto-converted.

John Baldwin
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to