On Sun, 2003-03-30 at 07:04, Tim Starling wrote:
Gee, the interesting things you find when browsing the wikipedia codebase. Don't you people know what salt is?
Nothing like reinventing a wheel to reinvent old bugs, is there? :)
Don't worry, I fixed it. What do I do with the rectified code (once I've read over it a couple more times)?
By all means, send it over.
Obviously we'd have to add a note explaining that everyone has to reset their password. Not everyone has an e-mail address attached to their account, so we'd need to add a web form for doing this. That obviously would require first validating the person with their current password with the current hashing code; so we'd probably need a marker to indicate that each users' password field is upgraded.
Of course, all our passwords are sent in cleartext over the internet anyway, so should never be assumed to be secure.
-- brion vibber (brion @ pobox.com)