#6072 - If the password ratchet is changed, update member passwords when they next log in
-
By PDStig
- Added
- 6 views
| Identifier | #6072 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | If the password ratchet is changed, update member passwords when they next log in |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Security (custom) |
| Handling member | PDStig |
| Version | 11 beta6 |
| Addon | core_cns |
| Description | "It is impossible to retroactively upgrade old password hashes, or to retroactively downgrade password hash complexity if you set it too high – unless you force users to change their passwords."
This statement is not entirely true. When a member logs in, we can gather what the ratchet was when hashing a member's password by looking at the hash itself. And then we can compare it to the site ratchet. If they are not equal, and we know the member's password because they just attempted a log-in (so we have their input in plain text), we can re-hash their password in the database after verifying with the old hash. This is ideal for enhanced security without always having to force password resets. |
| Steps to reproduce | |
| Funded? | No |
| Commits |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
This patch introduces automatic re-hashing of passwords when the ratchet is changed (on the next time a member logs in).