On Jul 31, 2009, at 9:35 AM, Gijsbert wrote: > I know next to nothing about this stuff, but yesterday I had to do > some stuff with htpasswd and I noticed you can actually use different > hash schemes in the same password file (at least I saw a mix of salted > and unsalted hashes). Couldn't this be used to solve the compatibility > issue? Assuming that you can recognize the hashing scheme from the > hash in the table, a new, more secure, algorithm could be added as > default and both old and new passwords would keep on working. > > This is not as secure as forcing people to retype their password, like > Julio suggested, but at least it would make the default install more > secure.
Exactly. If the user's password validates with the old (weak) hash, rehash it with a stronger hash and write it back to the user table. That way the hash, at least, gets updated as soon as a user logs in. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
