Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2018-11-01
    • Component/s: Accounts
    • Labels:
      None

      Description

      Passwords set after MBS-9208 will use a more secure bcrypt hash, but the hash for older passwords will stay as it was, so they will be easier crackable. It’s not possible to create a new hash (with a higher cost factor) without the cleartext password, which we don’t store, so upgrading all password hashes in the background is not an option. However, on each login, the user provides us temporarily with the cleartext password; we could use this opportunity to gradually re-hash for all active accounts.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                yvanzo yvanzo
                Reporter:
                chirlu Ulrich Klauer
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: