Separate from the password policy, we should have the following standards when it comes to storing passwords
* Passwords stored in a database should use the following format.
** sha512 hashing** Unique per user salt** Private system salt of 20 chars in addition to the per user salt** Private system salt would be system only and not stored with user hash or in the databases.** Need the ability to change/rotate hashes
It would look something like this:
* privateSystemSalt examples
* privateSystemSalt["2010-10-13"] = "01234567890123456789"; // legacy * privateSystemSalt * privateSystemSalt["2011-01-01"] = "214bg423df214bg423df"; // legacy * privateSystemSalt 2 * privateSystemSalt["2011-01-11"] = "^&*FDF3fc_Fer3fcj^&*FDF3fc_"; // current
===== Background =====
I have data on why we are not using bcrypt or something like it. This will be published shortly.
====Migration====