Fasse
commented
8 years ago Why do old password hashes not work anymore?
Closed ximex closed 2 years ago
Fasse
commented
8 years ago Why do old password hashes not work anymore?
ximex
commented
8 years ago After this change this could be removed. https://github.com/Admidio/admidio/blob/master/adm_program/system/classes/passwordhashing.php#L71-L79 Then we only support the hashes that are generated by bcrypt etc (from the php intern hashing functions)
Fasse
commented
8 years ago We should bot Remove this. We migrate passwords at login and therefore wie Need it. I'm also not a friend of new automated passwords. This will be confusing for a lot of people. The current solution works good.
ximex
commented
8 years ago This will only affect the user they never logged in since Admidio 3.1. So, Admidio 4.0 is about 1 year away -> less people they get an email with a new password
Bonus: People should change their passwords more often. We helped them ;-)
PeterTheOne
commented
8 years ago +1
(btw. sending passwords via email is also not a good idea.)
ximex
commented
8 years ago @PeterTheOne they are autogenerated and should get changed.
PeterTheOne
commented
8 years ago @ximex Yes, should be changed, but will they? http://security.stackexchange.com/a/17981/67030
Fasse
commented
8 years ago If a Webmaster will update to Admidio 4 and had Used Admidio 3.0 or less then ALL Users will get a new password. That will be very confusing for some end users.
ximex
commented
8 years ago i would only allow the update from the latest 3.x version to 4.0. So we could remove most of the legacy code. And yes it could be that: Current version 3.0 - wants to update to 4.0 - see he need to update to 3.x first - did the update - only his password gets rehashed - updates to 4.0 - all other users got new passwords But between release of 3.1 and 4.0 will be more than 1,5 years. In German: "Man kanns nicht allen recht machen."
Fasse
commented
8 years ago Ich sehe aber weiterhin keinen Sinn in dieser Änderung. Dadurch machen wir es nur vielen Leuten schwer. Einfach mal so alle Passwörter ändern, kann dazu führen, dass einige Nutzer dann Admidio nicht mehr nutzen können, da sie die Email mit dem neuen Passwort nicht mehr finden, sich 3 mal falsch einloggen usw. Ich denke nur daran, wenn sowas mit einem Login meiner Eltern gemacht würde ...
Nur um eine alte Lib zu entfernen finde ich die Nachteile überwiegend. 1,5 Jahre finde ich keine lange Zeit. Wir haben jetzt noch Leute, die von Admidio-Versionen 1.x oder 2.2 updaten und da sind es schon 4 oder 5 Jahre.
ximex
commented
8 years ago ok dann verschieben wir das auf später. Ich wollte mit 4.0 einen harten bruch machen und alles alte ausmisten und mit einem sauberen code ohne viele "if" für diverse unterschiede weitermachen
Fasse
commented
3 years ago I think we can remove this for version 4.1. Also I think we do not need to send a new password. The user can request a new password by himself through the new request process.
Remove old password hashing lib. Problem: Old passwords (hashes) won't work anymore. Solution: For every old hash generate new password and send by mail Bonus: Only secure hashes in the database