On Sun, 2003-03-30 at 07:04, Tim Starling wrote:
Gee, the interesting things you find when browsing the
wikipedia codebase.
Don't you people know what salt is?
Nothing like reinventing a wheel to reinvent old bugs, is there? :)
Don't worry, I fixed it. What do I do with the
rectified code (once I've
read over it a couple more times)?
By all means, send it over.
Obviously we'd have to add a note explaining that everyone has to reset
their password. Not everyone has an e-mail address attached to their
account, so we'd need to add a web form for doing this. That obviously
would require first validating the person with their current password
with the current hashing code; so we'd probably need a marker to
indicate that each users' password field is upgraded.
Of course, all our passwords are sent in cleartext over the internet
anyway, so should never be assumed to be secure.
-- brion vibber (brion @
pobox.com)