friend icon indicating copy to clipboard operation
friend copied to clipboard
verified publisher icon cemerick

Make it easy to migrate out of busted password (hashing) schemes

Open cemerick opened this issue 11 years ago • 1 comments

Friend recommends bcrypt (+ HMAC given #108), but it should make it easy to use and migrate existing (hopefully hashed) credentials from prior authentication regimes. Methods to support for verifying credentials include:

  • plain text
  • MD4
  • MD5
  • SHA-1, -256, -512

This should basically cover people coming from e.g. spring-security. At no point should Friend allow anyone to hash new passwords using these methods.

/cc @abedra

cemerick avatar May 26 '14 11:05 cemerick

I think there should be a password timestamp so that when default encryption method changes as the app evolves in the future (or when current method becomes unsafe) it can auto migrate old passwords. Also, such timestamps help implementing password expiration feature.

myguidingstar-zz avatar Jun 06 '14 03:06 myguidingstar-zz