I support that. If someone needs plain md5, they can use the hooks to
generate and compare the hashes.
On Wed, May 29, 2013 at 1:38 PM, Daniel Friesen
<daniel(a)nadir-seen-fire.com> wrote:
It would be nice to kill off $wgPasswordSalt if we
could (the ability to set
it to false that is).
This setting controls whether we use a salted password algorithm or an
unsalted one. Basically making something somewhat secure almost completely
insecure.
This setting appears to exist to make it possible for auth plugins on other
pieces of 3rd party software to login using MediaWiki accounts by directly
accessing MediaWiki's database but not bothering to understand any of
MediaWiki's password algorithms.
A fairly dubious rationale to exist IMHO.
The current documentation on the setting is also complete and totally false.
It says "For compatibility with old installations set to false.", but at
this point this has absolutely nothing to do with compatibility.
Frankly even if we do have any sort of remaining incompatibility I'd bet it
would be fairly trivial to actually solve (eg: For ancient password hashes
just try both ancient algorithms instead of just one).
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l