dhis2-devs team mailing list archive

Thread
Date

Re: Major changes to password handling

To: Halvdan Grelland <halvdanhg@xxxxxxxxx>
From: Jim Grace <jimgrace@xxxxxxxxx>
Date: Tue, 30 Sep 2014 10:48:44 -0400
Cc: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAM502UfBHTvi53MqYoF3J1hDHP4bUTU-CDse+1=k6NqPo=_S9g@mail.gmail.com>

Thanks, good work!


On Tue, Sep 30, 2014 at 10:37 AM, Halvdan Grelland <halvdanhg@xxxxxxxxx>
wrote:

> Hi devs,
>
> Starting from trunk rev. 16881 (2.17 snapshot) we've made some major
> changes to the password handling scheme of DHIS 2. In short: all passwords
> and restore tokens are now stored as bcrypt hashes with random salts. This
> gives a great boost to security, but might carry some challenges for
> developers.
>
> All existing users in the DB are now being migrated to bcrypt hashes *on
> login*. In production this should work smoothly. However in a development
> context you might encounter the following situation:
>
>  - Logging in with any user on DHIS rev >= 16881 will change the password
> hash to the new scheme.
>  - A development branch which has not been merged with DHIS rev > 16881
> yet will then fail to authenticate the same user (both branches run on the
> same dev db) as the hash is not a valid MD5 digest anymore.
>
> I strongly suggest you merge any active development branches with trunk
> ASAP to avoid this conflict. You could also run any older branches on a
> different database (the provided sample data has not yet been altered to
> reflect the new scheme).
>
> Feel free to email me if you have any questions.
>
> Halvdan Grelland
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

References

Major changes to password handling
From: Halvdan Grelland, 2014-09-30