Open cemerick opened 10 years ago
I think there should be a password timestamp so that when default encryption method changes as the app evolves in the future (or when current method becomes unsafe) it can auto migrate old passwords. Also, such timestamps help implementing password expiration feature.
Friend recommends bcrypt (+ HMAC given #108), but it should make it easy to use and migrate existing (hopefully hashed) credentials from prior authentication regimes. Methods to support for verifying credentials include:
This should basically cover people coming from e.g. spring-security. At no point should Friend allow anyone to hash new passwords using these methods.
/cc @abedra