brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <>
Subject Password hash changes
Date Thu, 25 Jun 2015 14:39:44 GMT
All, but in particular @alasdairhodge, @grkvlt and @ahgittin:

PR #687 "Tweak PasswordHasher to avoid potentially misleading use of
ByteBuffer.array()" has an unresolved discussion around this potential
break in backwards compatibility.

This question is blocking the release, so we should come up with an answer.

The issue is a recent change in the password hashing algorithm. Password
hashes from before and after the change are not compatible, so users with
hashed passwords in their must regenerate them.

The options are:

1 - document in the release notes that users must regenerate their password
2 - change the code to try both old and new variants of the algorithm. Warn
the user they need to update.
3 - supply an upgrade tool (haven't checked if this is feasible)

What are people's opinions?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message