[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSHA, salting, etc.

We recently upgraded from 2.1.22 to 2.2.11. After the process was
complete, we discovered that virtually all of our user passwords had
stopped working. After about a day of panic and horror, we discovered that
the new version doesn't like SSHA passwords salted with fewer than four
characters, and that a lot of our passwords had been generated that way.
We've hacked the source now (since we can't ask all of our users to change
their passwords at the present time, even though the relevant tool is now
updated to use four-character salts), but I was wondering about a couple
of things:

1. Is this change listed anywhere? I didn't run across it in any of my
frantic Google searches and it would have been nice to see earlier.
2. Is there a relevant standard that says SSHA salts must be at least four
characters? The Perl code we were using to make passwords was grabbed off
of a Netscape web site long, long ago (although it's remarkably similar to
what's being used as an example in the Faq-o-matic these days, aside from
the character length issue).


John Klein
Database Applications Developer
Information Technology Services - Harvard Law School
Omnia Mutantur, Nihil Interit