1. 13
  1.  

  2. 3

    At first, and for no good reason, I disliked the idea of bcrypting a password hash. It just felt weird.

    Kudos for overcoming the weird feeling and investigating further. It “feels weird” to hear, but the reality is that lots of IT decisions are made on the basis of truthyness and not on the basis of fact and rationality.

    1. 3

      I suggested we do this at a previous job and was turned down–without a good reason. We did it the traditional way, maintain two code paths such that if a user logged in and had an old hash, we’d upgrade them. Not only was this stupid, it was also dangerous, since the old hashes were significantly more weak (just md5 with a 5 character salt), and most users never returned due to the type of application.