Jens Frank wrote:
We'll create some new indexes that should improve
site
performance. To do this, we need to set the wikis to
read only at 3 a.m. UTC (5a.m. Berlin/Paris, about
10 p.m. Chicago). The downtime will take about 2 hours.
While we're on this, that would be a good time to run the password hash
salting.
We'd originally held off on that because a migration to shared user
accounts could change user IDs (and thus the salt), breaking all
password hashes. However it looks like the type of shared account system
we'll end up with is going to be a central account + local accounts, and
a mass migration isn't necessary: people will 'upgrade' their accounts
and be able to punch in their password for confirmation at the time.
For that type of scheme the salt will not be an issue, so we've got no
excuse not to do it.
(For those who didn't notice, Slashdot ran a scaremongering "story"
today about a list of troll accounts Tim made almost a year ago by
comparing password hashes under the title "Wikipedia Leaks Some Users'
Passwords". Slashdot's fun, but it's not journalism; don't expect to
ever get an e-mail from a Slashdot editor asking for comment or
confirmation on facts... Anyway, at least it reminded us we haven't
finished the salted hash transition.)
-- brion vibber (brion @
pobox.com)