[Opensim-dev] seamless migration of password hash & salt from md5 to sha-512

Gudule Lapointe gudule at spekuloos.be
Sun Jun 10 10:32:46 UTC 2012 

Not only does this force to change all third party modules using authentication (for this, changing the hash method should be an option, not an arbitrary change)

This also means the update process is not immediate, it relies on every single user login via OpenSim.
It could take months before all the passwords are updated. Practically, they won't ever, probably.
In the meantime, the authentication via third party module will be broken for a part of the users (the ones already updated, or the other ones, depending of the web module being patched or not).


--
http://www.speculoos.net/
secondlife://speculoos.net:8002/
Speculoos, the belgian cookie-flavored metaverse

Le 10 juin 2012 à 07:15, SignpostMarv Martin a écrit :

> clarification; I missed out the phrase "the patch simply checks when authentication occurs"
> 
> On 10/06/2012 05:52, SignpostMarv Martin wrote:
>> Earlier I decided to see if it was feasible to seamlessly migrate the password hash & salt from md5 to sha-512- turns out it is :D
>> 
>> By seamless I mean the grid operator needs take no action- the patch simply checks if the salt in the db is of length 32 &uses md5 checking if it is, sha-512 if it isn't; if it is md5 and the submitted password is valid, the stored hash & salt are updated with new sha-512 values.
>> 
>> As mentioned on the mantis ( http://opensimulator.org/mantis/view.php?id=6046 ), any third-party software which directly reads the database would need to be updated to do similar salt length checks.
>> 
>> Additionally, the provided patch is incomplete as I'm unsure of the migration syntax for MSSQL/SQLite.
>> 
>> 
>> ~ Marv.
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20120610/ac159f00/attachment-0001.html>

More information about the Opensim-dev mailing list