Add ReplyNew TopicNew Poll

 Stronger Password Encryption
#
This is an "under the hood" update that's been in the works for a while, and will, for the most part, be uneventful. However it does deserve to be mentioned because I want people to use it when it's finally openly available. For some time I have been working to change the password encryption scheme used on JFH to be more modern.

Presently, we use something called MD5, which is a 32-character hash of your password. The upgrade I have installed changes the system to bcrypt -- a 60-character hash, that is more future proof and its strength can be dynamically adjusted. In short: bcrypt is much better for us/your board.

This change, however, is not automatic. The upgrade must be done on a per-board basis. I'll make this as easy as clicking a button in the Admin CP that says "upgrade me" or something like that in the future, but at the moment this is in testing phase.

To start, it's been enabled on the support board, so this topic is for feedback regarding that. I would like to hear about any incidents where you were unable to login to here. There should not be any, and I have already noticed that users logging in are having their hashes changed to the stronger system without even realizing it / knowing it (that's good!)

This topic will also be for questions regarding this update as well. Should the support board trial continue to go well, I would like to find some other boards to upgrade as well. Let me know here if you'd be interested.

Once again, this update is extremely transparent. If you've logged out and logged in here recently, you are using a bcrypt-password and don't even notice it.

signature
email: admin@jcink.com :: blog: John C.
#
This will roll out to newly created forums soon, approx ~2 weeks.

Upgrade options via Admin CP will be available shortly after. This has been working perfectly so far.

Part of this is also a bump in the security of Admin CP session security keys, and lost password keys as well.

signature
email: admin@jcink.com :: blog: John C.
#
This has been rolled out to newly created boards.

signature
email: admin@jcink.com :: blog: John C.
#
When does the upgrade happen/how will it work for already created boards?


signature
user posted image
#
Already created boards will see an alert in the Admin CP to click a button and do an upgrade. This has not been added yet, though. It will be done soon-ish, I'm working on another security related issue at the moment.

This board has already been upgraded for weeks but I did it from my end.

signature
email: admin@jcink.com :: blog: John C.
#
A bug regarding email changes has been fixed.

Also, this has not been forgotten, just sleeping with respect to https. And any new forum has been on the stronger password system for ~2 months now and we've seen great success with it.

signature
email: admin@jcink.com :: blog: John C.
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
Share this topic:
« Next Oldest | Development News | Next Newest »

Options Add ReplyNew TopicNew Poll