Update password hash algorithm to SHA256 #6638
Conversation
There was a problem hiding this comment.
I think this is a good change. So long as others are ok with this @valadas I think we just need to find out how to document/note this in the release notes? Or maybe it goes in dnndocs?
|
What we discussed is that would be for new installs only. But we would document how to migrate to it for upgrades. We need to test the process but if I remember correctly you just have run an sql script to force password reset upon next login. |
|
@valadas ok, deleted my comment as I didn't notice the "new installs only" remark. And yes, password reset is the only way foward for existing users. |
|
@r90727 you got me scratching my head a bit there, I was replying to a ghost lol... |
|
@valadas I thought we had targeted included this one in the RC, did I mis-remember? |
This PR updates the default hash algorithm to SHA256. It does not add any logic for migrating users from SHA1 hashes, it only affects new installations.
I have tested that password history works as expected.
Fixes #6614