brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Harris <>
Subject Re: Password hash changes
Date Thu, 25 Jun 2015 14:41:10 GMT
I'd say '2' for now, then '1' in the next release



On 25 June 2015 at 15:39, Richard Downer <> wrote:

> All, but in particular @alasdairhodge, @grkvlt and @ahgittin:
> PR #687 "Tweak PasswordHasher to avoid potentially misleading use of
> ByteBuffer.array()" has an unresolved discussion around this potential
> break in backwards compatibility.
> This question is blocking the release, so we should come up with an answer.
> The issue is a recent change in the password hashing algorithm. Password
> hashes from before and after the change are not compatible, so users with
> hashed passwords in their must regenerate them.
> The options are:
> 1 - document in the release notes that users must regenerate their password
> hashes.
> 2 - change the code to try both old and new variants of the algorithm. Warn
> the user they need to update.
> 3 - supply an upgrade tool (haven't checked if this is feasible)
> What are people's opinions?
> Richard.

Martin Harris
Lead Software Engineer
Cloudsoft Corporation Ltd
Mobile: +44 (0)7989 047-855

Cloudsoft Corporation Limited, Registered in Scotland No: SC349230. 
 Registered Office: 13 Dryden Place, Edinburgh, EH9 1RP
This e-mail message is confidential and for use by the addressee only. If 
the message is received by anyone other than the addressee, please return 
the message to the sender by replying to it and then delete the message 
from your computer. Internet e-mails are not necessarily secure. Cloudsoft 
Corporation Limited does not accept responsibility for changes made to this 
message after it was sent.

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the 
onward transmission, opening or use of this message and any attachments 
will not adversely affect its systems or data. No responsibility is 
accepted by Cloudsoft Corporation Limited in this regard and the recipient 
should carry out such virus and other checks as it considers appropriate.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message