I have a pending patch for per-user last. it is in my todo list....
On Nov 1, 10:32 pm, Eli Collins <e...@astllc.org> wrote: > I'm coming slightly late to this thread, but wanted to add a note... > > > If we did implement this approach, the next question is, could we also > > implement a scheme whereby if the algo is changed, when someone goes to > > change their password, the system can confirm that the old password is > > provided correctly and then store the new password under the new scheme? > > If you do decide to use the passlib > <http://packages.python.org/passlib>library (per João > Gulineli's post <http://../d/msg/web2py/WEiNGgDya58/zoKCedgl-qwJ>), it also > offers a > CryptContext<http://packages.python.org/passlib/lib/passlib.context-usage.html#bas...>class > which can configurably let you support multiple hashes at once; but > more importantly (with regards the quoted question), it also lets you mark > certain hash schemes as "deprecated", and offers a method > verify_and_update()<http://packages.python.org/passlib/lib/passlib.context-interface.html...>method > which takes care of that exact operation you described: verify > password, and re-encode if previously stored using a deprecated hash (the > function docs link to a usage example). > > - Eli Collins