Arc Forumnew | comments | leaders | submitlogin
1 point by dram 4217 days ago | link | parent

PG and RTM may break other code, but I think they will not break their own code, as news.arc is inside of Arc, not outside. :)

I'm curious how did you migrate passwords, I thought some more code are needed to migrate them automatically.



3 points by akkartik 4217 days ago | link

Yeah, I wrote some more code :)

First I transformed all existing hashes:

  (maptable [list 'sha512_sha1 (sha512 _)] hpasswords*)
Then, as users login and I momentarily have their unhashed passwords, I hash it with just sha512, making the hpasswords* value:

  (= hpasswords*.user
     (list 'sha512 (sha512 password)))
Password verification can now use the first element (the 'type') to decide how to hash the password.

-----

1 point by akkartik 4217 days ago | link

"I think they will not break their own code, as news.arc is inside of Arc, not outside."

But then how would they ever migrate beyond sha1? Would the hundred-year language save passwords in a way that gets more insecure every year?

I think arc's default assumption is that there's no difference between 'inside' and 'outside'. And this is how lisp used to be.

-----

2 points by dram 4217 days ago | link

Another method would be hash sha1 hashed values directly, like:

  (sha512 (+ (sha1 pw) user-salt site-salt))
Anyway, existing passwords still need to be migrated manually.

BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https.

-----

1 point by akkartik 4217 days ago | link

"BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https."

Yes. Though you can get that with apache or nginx.

-----