ctubbsii commented on pull request #1834: URL: https://github.com/apache/accumulo/pull/1834#issuecomment-744635177
> Thanks for addressing my concerns. I guess my only concern now is how to address future requirements, when the hashes get out of date. So if someone asks what hashes do we support, we just answer whatever the latest version we use of Apache commons Crypt library supports? Well, now that we're using a standard format, we should be able to read any of the hashes that the Crypt library supports. The method we're calling in the Crypt API uses the default for that library, which is currently SHA-512, but it could change over time. Even if it changes, we will still be able to read the old values. However, the old values won't automatically upgrade like they are now doing for the legacy format we previously used. Users will benefit from the new hash supported by the library only if they change their password. That's typical for how crypt(3) is used with passwd files in Linux, so I think it's a normal expectation. However, as you saw, we do have a unit test to give us a heads up if something changes with the default, so we can address it on a case-by-case basis if it comes up. SHA-3 is being slowly adopted, so I expect we'll have to deal with it at some point, but probably not for quite a while. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
