From alexm at alexm.org  Sat Oct  3 16:16:20 2015
From: alexm at alexm.org (Alex Muntada)
Date: Sat, 3 Oct 2015 16:16:20 +0200
Subject: [Act-dev] a few ideas for legacy Act
In-Reply-To: <20150925201645.GE2532@zok>
References: <20150922182418.GB2034@xps> <20150925083510.GA15184@xps>
	<20150925201645.GE2532@zok>
Message-ID: <20151003141620.GA6258@xps>

Philippe Bruhat (BooK):

> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.

I added support for bcrypt with backwards compatibilty for old
MD5 digests. I have tested it in my vagrant box and it works:

https://github.com/book/Act/pull/63

With this PR password will be rehashed when changed. Later, it
should be easy to add the logic to enforce password rehashing
after login if you want.

However, all this doesn't matter until password is sent through
a secure channel.

Cheers,
Alex