You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We don't want to make all users reset their password, so we need to gradually migrate users to bcrypt. A possible solution will be to add a new column password_digest to User and populate it when the user logs in the next time. At this point we will be able to also clear out the password field of that user removing the unsafe SHA1 digest.
This way we will be able to gradually migrate users away from SHA1. After a while (1 year?) we can reset the passwords of all the users that haven't logged in and clear out all remaining SHA1 digests.
The text was updated successfully, but these errors were encountered:
The user passwords are hashed using SHA1 at the moment, which is not secure. The passwords should be stored using bcrypt. Rails has API for this: http://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password
We don't want to make all users reset their password, so we need to gradually migrate users to bcrypt. A possible solution will be to add a new column
password_digesttoUserand populate it when the user logs in the next time. At this point we will be able to also clear out thepasswordfield of that user removing the unsafe SHA1 digest.This way we will be able to gradually migrate users away from SHA1. After a while (1 year?) we can reset the passwords of all the users that haven't logged in and clear out all remaining SHA1 digests.
The text was updated successfully, but these errors were encountered: