Obviously we'd have to add a note explaining that
everyone has to reset
their password. Not everyone has an e-mail address attached to their
account, so we'd need to add a web form for doing this. That obviously
would require first validating the person with their current password
with the current hashing code; so we'd probably need a marker to
indicate that each users' password field is upgraded.
No-one will have to reset their password. I'll just use md5(md5(password) +
salt) for the new hash. The only thing users will notice is that their
stored cookies will stop working and they'll have to log in again.
-- Tim Starling.
_________________________________________________________________