Hacker News new | past | comments | ask | show | jobs | submit login

If you happen to have a web app that stores passwords in clear text or SHA-1 hashed, all is not lost. You can apply further secure hashes to the existing value stored on db and update your authentication validator.



Or do the easy thing and perform a chinese fire-drill whenever the user logs in and bump them to the new encryption schema.

Or invalidate and send an email.


Interestingly, when reddit upgraded to bcrypt, they refused to do this because so many users don't know their passwords and it would lock lots of people out of their accounts forever (remember, reddit doesn't require email addresses to register).

http://reddit.com/r/changelog/comments/lj0cb/reddit_change_p...


Good on them for knowing their users?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: