This is brillant, thanks again Sam. I think I'll go for something like that. The argon2 hash can hold the version, just behind the mode, I could use that to distinguish old and new hash.
$argon2i$*v=13* $m=65536,t=3,p=4$SZ30vQfC522jpGssj92FkQ$xO4vPBrnd+DW/CbhiGjWW7u0s/nf7PcGUjS5bWQElYo Le jeu. 11 oct. 2018 à 21:01, Sam Whited <s...@samwhited.com> a écrit : > On Thu, Oct 11, 2018, at 13:56, Thomas Bruyelle wrote: > > Unfortunately, because of that version mismatch, all my users' hashes > were > > created with a version not supported by golang.org/x/crypto/argon2, so > I > > can't migrate :/ > > I hope no problems are ever discovered in Argon2 then, it's generally a > good idea to have some sort of system for migrating hashes :) > > For example, when the user next logs in you could verify that he hash is > correct, but also calculate the new hash and update it and set a prefix or > a bit in the database somewhere saying that they're on "hash mechanism v2". > There's no need to force reset every password all at once since this isn't > a security issue. > > —Sam > > -- > You received this message because you are subscribed to a topic in the > Google Groups "golang-nuts" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/golang-nuts/Lx672zPwqSQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
