Timeline for Hash function change
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 28, 2012 at 19:16 | comment | added | tylerl | @CodesInChaos Yes -- it's an interesting solution, which makes it more interesting that you don't see this solution more in real-world use. I wonder why not. | |
| Aug 28, 2012 at 19:06 | comment | added | CodesInChaos | You can use the double-hash update technique this post is about. Possibly together with a cleanup on the next login. | |
| Aug 28, 2012 at 19:00 | comment | added | tylerl | @CodesInChaos Security is always a trade-off. You can, if you choose, disable accounts with old hashes or reset all the old password or whatever you want, really. But what you can't do is update the hash without having the plaintext password. So whether or not you think this is a good idea, it's what very nearly everybody does. | |
| Aug 28, 2012 at 17:51 | comment | added | CodesInChaos | Keeping weak hashes around until the user in question logs in is a bad idea IMO. If this is a typical website, most users won't log in for a long time if ever. | |
| Aug 28, 2012 at 3:13 | history | answered | tylerl | CC BY-SA 3.0 |