On Friday, February 28, 2014 4:58:29 pm Eitan Adler wrote: > On 27 February 2014 20:14, Allan Jude <free...@allanjude.com> wrote: > > With r262501 > > (http://svnweb.freebsd.org/base?view=revision&revision=262501) importing > > the upgraded bcrypt from OpenBSD and eventually changing the default > > identifier for bcrypt to $2b$ it reminded me of a feature that is often > > seen in Forum software and other web apps. > > > > Transparent algorithm upgrade. > ... > > I would strongly support this > > > I think Nick's point is you do want passwords using the "old" hash to expire > are some point if they haven't been auto-converted. > > Password expiry is an orthogonal issue and should be up to administrator policy.
Yes, but if you are moving to a different algorithm to improve security, not coupling it with an eventual expiration of non-migrated accounts gives a false sense of security. Any admin worth his/her salt is going to want the option of enforcing that sort of policy along with the transparent update. They should really be implemented together is all. -- John Baldwin _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
