We currently updated from ojs 2.4.5 to 2.4.8 and then to 18.104.22.168.
In out previous configuration we were using md5 password hashing, we would like to switch to more secure sha1 method.
Is it possible to achieve this without asking old users to update their passwords?
How does it work?
Password created by ojs 2.4.5 are stored in database as 32 hex numbers, as expected (MD5 being 128bit). But in the new system, choosing either md5 or sha1, passwords are stored as 60 character string. SHA1 being 160bit shouldn’t it be 40 hex digits?
Is “salt” only used for resetting passwords? How is it used? Can I change it anytime to anything without affecting users? Or would it have impact on how users log in?