Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Make it easy to migrate out of busted password (hashing) schemes #109

Open
cemerick opened this issue May 26, 2014 · 1 comment
Open

Make it easy to migrate out of busted password (hashing) schemes #109

cemerick opened this issue May 26, 2014 · 1 comment

Comments

@cemerick
Copy link
Owner

Friend recommends bcrypt (+ HMAC given #108), but it should make it easy to use and migrate existing (hopefully hashed) credentials from prior authentication regimes. Methods to support for verifying credentials include:

  • plain text
  • MD4
  • MD5
  • SHA-1, -256, -512

This should basically cover people coming from e.g. spring-security. At no point should Friend allow anyone to hash new passwords using these methods.

/cc @abedra
@cemerick cemerick added this to the 0.3.0 milestone May 26, 2014
@myguidingstar-zz
Copy link

I think there should be a password timestamp so that when default encryption method changes as the app evolves in the future (or when current method becomes unsafe) it can auto migrate old passwords. Also, such timestamps help implementing password expiration feature.

@cemerick cemerick modified the milestone: 1.0.0 Jun 11, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cemerick @myguidingstar-zz