On Friday, February 28, 2014 4:58:29 pm Eitan Adler wrote:
> On 27 February 2014 20:14, Allan Jude <free...@allanjude.com> wrote:
> > With r262501
> > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing
> > the upgraded bcrypt from OpenBSD and eventually changing the default
> > identifier for bcrypt to $2b$ it reminded me of a feature that is often
> > seen in Forum software and other web apps.
> >
> > Transparent algorithm upgrade.
> ...
> I would strongly support this
> > I think Nick's point is you do want passwords using the "old" hash to 
> are some point if they haven't been auto-converted.
> Password expiry is an orthogonal issue and should be up to administrator 

Yes, but if you are moving to a different algorithm to improve security, not 
coupling it with an eventual expiration of non-migrated accounts gives a false 
sense of security.  Any admin worth his/her salt is going to want the option
of enforcing that sort of policy along with the transparent update.  They 
should really be implemented together is all.

John Baldwin
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to