It would be nice to kill off $wgPasswordSalt if we could (the ability to set it to false that is). This setting controls whether we use a salted password algorithm or an unsalted one. Basically making something somewhat secure almost completely insecure. This setting appears to exist to make it possible for auth plugins on other pieces of 3rd party software to login using MediaWiki accounts by directly accessing MediaWiki's database but not bothering to understand any of MediaWiki's password algorithms. A fairly dubious rationale to exist IMHO. The current documentation on the setting is also complete and totally false. It says "For compatibility with old installations set to false.", but at this point this has absolutely nothing to do with compatibility. Frankly even if we do have any sort of remaining incompatibility I'd bet it would be fairly trivial to actually solve (eg: For ancient password hashes just try both ancient algorithms instead of just one). -- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

The current documentation on the setting is also complete and totally false. It says "For compatibility with old installations set to false.", but at this point this has absolutely nothing to do with compatibility.

Frankly even if we do have any sort of remaining incompatibility I'd bet it would be fairly trivial to actually solve (eg: For ancient password hashes just try both ancient algorithms instead of just one).