Blueprint changed by Christopher Adams: Whiteboard changed: 1) Change the aiki_users table by replacing the password field with three fields: - * salt - * hash - * algorithm + * salt + * hash + * algorithm For current deployments, you can migrate the current users by leaving the salt empty, renaming the password field to hash, and listing the algorithm as 'md5md5' or something similar. 2) Decouple the standard function for generating hashes and use the algorithm field to determine which class/function to use. These algorithm classes might more properly be stored in extensions. When installing Aiki let the user decide which algorithm to use by default, - or just enforce a default. At minimum we should recommend sha-1. + or just enforce a default. At minimum we should recommend sha1. 3) For new users, create a random salt and store it in the salt field. Combine the salt and the password and run it through specified hashing algorithm. 4) Create a function that upgrades old users to the default hashing algorithm the next time they log in.
-- Aiki needs a more robust hashing framework for passwords https://blueprints.launchpad.net/aikiframework/+spec/better-password-hashing _______________________________________________ Mailing list: https://launchpad.net/~aikiframework.admins Post to : [email protected] Unsubscribe : https://launchpad.net/~aikiframework.admins More help : https://help.launchpad.net/ListHelp
