Hi everybody,
I was on the brink of celebrating the one-year anniversary of a patch I submitted being
open, but today it was finally merged!
https://gerrit.wikimedia.org/r/77645
The old User::comparePasswords() and User::crypt() functions have been replaced with a new
password hashing API. This means MediaWiki now natively supports Bcrypt and PBKDF2 as
replacement password hashing algorithms. Furthermore, the system allows seamless
transitioning, meaning users’ password hashes will be updated automatically the next time
they log in.
This means that MD5 is almost out the door, which is a big win (a follow up
patch,
https://gerrit.wikimedia.org/r/149658, changes the default to PBKDF2, which would
mean any wiki that upgrades to 1.24 would automatically switch away from MD5).
I’d like to thank Aaron Schulz, Chris Steipp, Krinkle, and many others who helped get this
through.
--
Tyler Romeo
0x405D34A7C86B42DF