That say, the downside is I have to keep both hash system, until all users connect, which can take a long time, or can never happen!
Le jeu. 11 oct. 2018 à 21:08, Thomas Bruyelle <thomas.bruye...@gmail.com> a écrit : > This is brillant, thanks again Sam. > I think I'll go for something like that. The argon2 hash can hold the > version, just behind the mode, I could use that to distinguish old and new > hash. > > $argon2i$*v=13* > $m=65536,t=3,p=4$SZ30vQfC522jpGssj92FkQ$xO4vPBrnd+DW/CbhiGjWW7u0s/nf7PcGUjS5bWQElYo > > > > Le jeu. 11 oct. 2018 à 21:01, Sam Whited <s...@samwhited.com> a écrit : > >> On Thu, Oct 11, 2018, at 13:56, Thomas Bruyelle wrote: >> > Unfortunately, because of that version mismatch, all my users' hashes >> were >> > created with a version not supported by golang.org/x/crypto/argon2, so >> I >> > can't migrate :/ >> >> I hope no problems are ever discovered in Argon2 then, it's generally a >> good idea to have some sort of system for migrating hashes :) >> >> For example, when the user next logs in you could verify that he hash is >> correct, but also calculate the new hash and update it and set a prefix or >> a bit in the database somewhere saying that they're on "hash mechanism v2". >> There's no need to force reset every password all at once since this isn't >> a security issue. >> >> —Sam >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "golang-nuts" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/golang-nuts/Lx672zPwqSQ/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> golang-nuts+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
