https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #24 from Tyler Romeo <tylerro...@gmail.com> 2012-03-24 21:00:30 UTC --- Some very good points. I definitely agree with changing the function names. XD But as far as the upgradeable part goes, it would be a security hazard to generate new hashes based on the old hashing algorithm. >From what I can tell, there are two purposes to using PBKDF2 over our current crypt method: 1) Use of SHA-512 over MD5, which is vastly superior. 2) Increase in amount of work required to calculate the hash. If we were to hash the current hash into the new hash, it would carry over any collisions from MD5 over into the final PBKDF2 hash. However, the current patch is constructed so that if a specific global variable is set to True, whenever a user with an old hash performs a successful login, it recalculates the hash and stores it. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
