Arc Forumnew | comments | leaders | submitlogin
2 points by rocketnia 4093 days ago | link | parent

Stdout munging looks like the easiest option, really. :-p

---

"Also, arc currently uses sha1, and I updated anarki to switch to sha512. This will break existing passwords."

A way to fix this is to annotate each hash with information about which algorithm was used to make it. As users log in, hash their input both ways, and replace the stored hash on success. All of PHP's hashing functions automatically prepend algorithm information to the result, and PHP has a corresponding feature to verify that a hash (annotated with algorithm information) matches a document. PHP's format isn't very elegant, but it's the closest I've seen to a standard. (Not that I've actually seen it implemented anywhere but PHP, but that PHP developers who want to migrate to another language will end up having to parse this format from their databases and either migrate it or code to it.)

It's worth noting that one pass of sha512 isn't very secure, since the speed of the algorithm makes it easy to reverse a compromised hash by comparing it to the hash of every possible password. I'm not sure what the state of the art is, but one very common recommendation is bcrypt: http://codahale.com/how-to-safely-store-a-password/

Even Hacker News uses (or has used) bcrypt: http://news.ycombinator.com/item?id=3099372