On Friday, February 28, 2014 4:58:29 pm Eitan Adler wrote:
> On 27 February 2014 20:14, Allan Jude <free...@allanjude.com> wrote:
> > With r262501
> > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing
> > the upgraded bcrypt from OpenBSD and eventually changing the default
> > identifier for bcrypt to $2b$ it reminded me of a feature that is often
> > seen in Forum software and other web apps.
> > Transparent algorithm upgrade.
> I would strongly support this
> > I think Nick's point is you do want passwords using the "old" hash to
> are some point if they haven't been auto-converted.
> Password expiry is an orthogonal issue and should be up to administrator
Yes, but if you are moving to a different algorithm to improve security, not
coupling it with an eventual expiration of non-migrated accounts gives a false
sense of security. Any admin worth his/her salt is going to want the option
of enforcing that sort of policy along with the transparent update. They
should really be implemented together is all.
email@example.com mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"