Fork me on GitHub
Subscribe 1

Ticket #707 (open enhancement)

Convert old passwords when logging in

  • Created: 2012-07-11 10:52:56
  • Reported by: Franz
  • Assigned to: Franz
  • Milestone: 2.0-beta1
  • Component: authentication
  • Priority: low

As Laravel uses a different hashing algorithm than the old versions of FluxBB, we need to convert the hashes.

As we cannot do that without the plain-text password, the user needs to cause this to happen. The unfriendly way is to force them to reset their passwords. The friendly way: when a password check fails, check whether the hash maybe is an old-style hash of the given plain-text password. If so, create a new-style hash out of the given plain-text password and store it.

It would be worth thinking about putting this in an official extension.

History

Franz 2012-08-29 22:36:48

  • Milestone changed from 2.0-beta1 to 2.0-alpha1.
  • Owner set to Franz.

After reading this excellent discussion on the issue, I believe we should add a column (or some characters in the hash) for the password version and update based on that. Nonetheless, for security reasons, the old hashes should still be hashed with the new hash algorithm. That can be done in the upgrade script.

And do that as early as possible. Like now.

Franz 2012-10-18 22:31:53

  • Milestone changed from 2.0-alpha1 to 2.0-beta1.

Makes sense to do this later, together with #390.