Thank you. Out of curiosity, why bcrypt and not scrypt? There is debate in
the security community about which is better so my comment isn't intended
as criticism. I'm just interested in the thinking behind this decision.
Thanks,
Pine
On Jul 28, 2014 1:35 PM, "Tyler Romeo" <tylerromeo(a)gmail.com> wrote:
Hi everybody,
I was on the brink of celebrating the one-year anniversary of a patch I
submitted being open, but today it was finally merged!
https://gerrit.wikimedia.org/r/77645
The old User::comparePasswords() and User::crypt() functions have been
replaced with a new password hashing API. This means MediaWiki now natively
supports Bcrypt and PBKDF2 as replacement password hashing algorithms.
Furthermore, the system allows seamless transitioning, meaning users’
password hashes will be updated automatically the next time they log in.
This means that MD5 is almost out the door, which is a big win (a follow
up patch,
https://gerrit.wikimedia.org/r/149658, changes the default to
PBKDF2, which would mean any wiki that upgrades to 1.24 would automatically
switch away from MD5).
I’d like to thank Aaron Schulz, Chris Steipp, Krinkle, and many others who
helped get this through.
--
Tyler Romeo
0x405D34A7C86B42DF
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l