devise icon indicating copy to clipboard operation
devise copied to clipboard
verified publisher icon heartcombo

Regenerate password hash on a sign in after the stretches config changes

Open sergey-alekseev opened this issue 6 years ago • 1 comments

I want to remind about a feature which was requested in https://github.com/plataformatec/devise/pull/1862, https://github.com/plataformatec/devise/issues/3635 and https://github.com/plataformatec/devise/pull/3549#issuecomment-193235701.

https://github.com/rails/rails/pull/35321/commits/87aa60ec367212e5ca49f39a9de29088f22ff469 handles this:

  • Rehash passwords with newer cost when they're authenticated.

    On successful authentication, rehash passwords that had originally been hashed with an outdated, lower cost. Ensures old passwords don't grow increasingly vulnerable to offline cracking.

For me it totally makes sense to regenerate password hash on a sign in after the stretches config changes. I can go ahead and submit a PR. Using a devise gem version would be better than using a devise patched version. What do you think?

(copied from https://github.com/plataformatec/devise/pull/5074#issuecomment-492696360 as @mracos suggested)

sergey-alekseev avatar Sep 26 '19 13:09 sergey-alekseev

Rails dropped that plan citing surprising behavior, so the linked commit is no longer in rails

https://github.com/rails/rails/pull/35321#issuecomment-566858439

tachyons avatar Feb 03 '25 11:02 tachyons