Open begemoth0 opened 3 years ago
ralight
commented
3 years ago That's an interesting idea. I'm not sure of the security implications of not updating the salt each time, so perhaps having an option to not update the salt would be a good compromise. What do you think?
begemoth0
commented
3 years ago Thanks for quick answer, Roger.
Yes, I think command line option would be great. Also fast check showed that apache htpasswd also uses random values when hashing (I've just looked at the result, not digging deeply into source code).
Also I suppose that if we're talking about reusing the same salt only if passwords match, de-facto that option turns out to be something like 'skip updating file if passwords match'.
mosquitto_passwd in version 1.6.9 uses random salt when generating password hashes. Thus password file always changes even if usernames and passwords are the same. It can be a problem in various automation scenarios like deployments with Ansible or repeatable builds.
Can we make password hashes repeatable? Maybe use the old salt if the hash of supplied password equals one that is stored in password file (effectively doing nothing :). You will always have the option to delete user from file and add it back again if you actually need to recalculate the hash with new salt.