[prev in list] [next in list] [prev in thread] [next in thread]
List: wikitech-l
Subject: Re: [Wikitech-l] Can we kill $wgPasswordSalt
From: Tim Starling <tstarling () wikimedia ! org>
Date: 2013-05-31 1:38:20
Message-ID: ko8uu8$ul5$1 () ger ! gmane ! org
[Download RAW message or body]
On 30/05/13 06:38, Daniel Friesen wrote:
> The current documentation on the setting is also complete and totally
> false. It says "For compatibility with old installations set to
> false.", but at this point this has absolutely nothing to do with
> compatibility.
I'm pretty sure it is still true, with the code as it stands. There's
a difference between "completely and totally false" and "should
probably be false in the future".
> Frankly even if we do have any sort of remaining incompatibility I'd
> bet it would be fairly trivial to actually solve (eg: For ancient
> password hashes just try both ancient algorithms instead of just one).
Feel free to change User::comparePasswords() to do that, and then
deprecate $wgPasswordSalt. If there are authentication plugins that
depend on it, it would be polite to allow for a deprecation period
rather than just removing it.
-- Tim Starling
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic