Arc Forumnew | comments | leaders | submitlogin
2 points by akkartik 4212 days ago | link | parent

You: "About password issue. If PG switches hash, he surely will consider about compatibility.."

I'll quote PG and RTM again: "Arc is still fluid and future releases are guaranteed to break all your code." http://www.arclanguage.org

I interpret this sentence on the frontpage to mean that he will not be concerned about compatibility. Arc is for exploratory programming. If you have users you're on your own. I really don't see how you can interpret it any other way.

The good news is that migrating passwords isn't hard. I've done it for a site myself.



1 point by dram 4212 days ago | link

PG and RTM may break other code, but I think they will not break their own code, as news.arc is inside of Arc, not outside. :)

I'm curious how did you migrate passwords, I thought some more code are needed to migrate them automatically.

-----

3 points by akkartik 4212 days ago | link

Yeah, I wrote some more code :)

First I transformed all existing hashes:

  (maptable [list 'sha512_sha1 (sha512 _)] hpasswords*)
Then, as users login and I momentarily have their unhashed passwords, I hash it with just sha512, making the hpasswords* value:

  (= hpasswords*.user
     (list 'sha512 (sha512 password)))
Password verification can now use the first element (the 'type') to decide how to hash the password.

-----

1 point by akkartik 4212 days ago | link

"I think they will not break their own code, as news.arc is inside of Arc, not outside."

But then how would they ever migrate beyond sha1? Would the hundred-year language save passwords in a way that gets more insecure every year?

I think arc's default assumption is that there's no difference between 'inside' and 'outside'. And this is how lisp used to be.

-----

2 points by dram 4212 days ago | link

Another method would be hash sha1 hashed values directly, like:

  (sha512 (+ (sha1 pw) user-salt site-salt))
Anyway, existing passwords still need to be migrated manually.

BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https.

-----

1 point by akkartik 4212 days ago | link

"BTW, for security, it is also unsecure to pass unhashed passwords around network, unless use https."

Yes. Though you can get that with apache or nginx.

-----