3
edits
Changes
Small clarification on the secureness of bcrypt.
* http://yorickpeterse.com/articles/use-bcrypt-fool/
* https://en.wikipedia.org/wiki/Bcrypt
Keep in mind that while bcrypt is secure you should still enforce good passwords.
As slow as an algorithm may be if a password is "123" it still would only take a
short amount of time before somebody figures it out.
==== Old Password Hashes ====
* Password hashes older than a year should be deleted from the system.
* After a password hash migration, old hashes should be removed within 3 months if user has yet to log in for the conversion process.
====Migration====
The following process can be used to migrate an application that is using a different hashing algorithm than the standard hash listed above. The benefits of this approach is that it instantly upgrades all hashes to the strong, recommended hashing algorithm and it does not require users to reset their passwords.
