U2:密码哈希算法升级 | Passhash Algorithm Upgrade

Quote:

站点已经完成密码哈希算法升级。采用新算法存储的密码哈希值暴力破解难度约为旧算法的2500万倍（测试硬件为Nvidia GTX 3080）

由于站点不存储密码明文，无法自动完成旧算法哈希值到新算法哈希值的转换，因此目前只有在以下情况时，用户的密码哈希存储会切换为使用新算法：

1. 新用户注册时
2. 用户密码修改时（允许新密码和旧密码相同）

算法切换对于用户实际使用的影响为零，且不支持反向切换。

由于密码哈希值的安全性仅在数据库泄露的假想情节下有效，站点2022年内并无强制用户修改密码、切换到新算法的计划。2023年开始站点保留强制显示待升级提示，或强制未升级用户修改一次密码的可能。

--------------------------------------------------------------------------------------------------------------------------------------

Site has done a passhash algorithm upgrade recently. Passhashes using new algorithm is 25 million times harder to be cracked by brute-forcing method (testing hardware is Nvidia GTX 3080).

Since we do not store plaintext password, we were unable to convert old passhash to new passhash automatically. Thus, user enrolls into new algorithm only when:

1. Account Registration
2. Password Update (new password could be same as old password)

Algorithm upgrade does not affect user experience and can not be undone.

Since the security of passhash only takes effect in the hypothetical plot of database leak, we do not plan on forcing users to change their password in 2022. From 2023 we may (or may not) display a non-removable upgrade notice (for those not upgraded yet) or simply force user to upgrade.