Closed ctgraham closed 9 months ago
In reviewing the potential risk mitigated by this migration: https://github.com/ulsdevteam/pkp-betterPassword/blob/88136e0f28f5eca5e68b184c13af8769ec68eb3e/BetterPasswordSchemaMigration.php#L42-L60
I now believe unhashed passwords were never stored in the user settings. This hooks on the update of the User object, which only ever stored hashed passwords. https://github.com/ulsdevteam/pkp-betterPassword/blob/28058f63391adaae9879d9ea887616cc49179345/features/LimitReuse.inc.php#L79-L91
In reviewing the potential risk mitigated by this migration: https://github.com/ulsdevteam/pkp-betterPassword/blob/88136e0f28f5eca5e68b184c13af8769ec68eb3e/BetterPasswordSchemaMigration.php#L42-L60
I now believe unhashed passwords were never stored in the user settings. This hooks on the update of the User object, which only ever stored hashed passwords. https://github.com/ulsdevteam/pkp-betterPassword/blob/28058f63391adaae9879d9ea887616cc49179345/features/LimitReuse.inc.php#L79-L91