Ensure password hash validation is working and secure as can be #10
Comments
angusmcleod
changed the title
|
We need to deprecate this phpass thing. For the migration, I would request existing users to create a new password (bcrypt only) We could validate existing password but anyway we also need to do email validations again. It would be great if someone could review this piece: https://github.com/resonatecoop/id/blob/develop/oauth/email_token.go |
|
We may have compat problems between this phpass function and the wordpress passwords. |
|
One possible way forward is to introduce a new password policy (e.g. min 8 chars, mixture of upper lower number and special at least one of each) so that when everyone logs in for the first time to the new system you make them create a new password that fits the rules (can be the same as their old one, dont bother checking). You do this by asking them to click the reset pw link that emails them a secure URL to click on, valid for 10 minutes, and puts up a new PW screen. Then you will be sure that everyone is using the new system and you wont need to bother about compatibility with the old passwords |
|
@auggod Our plan is to
|
A key piece of the data migration is to ensure that password hashes created in Wordpress still function as expected in the new architechture. There is existing handling for this here: password.go, i.e. it first attempts to validate the hash using bcrypt, and then attempts an MD5 (Wordpress). I want to be sure
@auggod Do you have any concerns about the password hash validation logic you've added in the linked file? Any potential issues we should be aware of?
The text was updated successfully, but these errors were encountered: