Invalidate old passwords

[tomhughes]

We are planning to invalidate old passwords on the main site which have not been used for a long time and are not hashed to modern standards. The current count of affected users is:

• 7001 users with unsalted MD5 hashes (have not changed password since 2007, or logged in since 2013)
• 1473214 users with salted MD5 hashes (have not logged in since 2013)
• 958 users without valid passwords

The plan is to clear all these password and to change the web site code to offer to do an email password reset if a user with a blank password tries to login.

[grischard]

Out of these 958 without valid passwords (null passwords?), there could be accounts created yesterday, correct?

Is there any overlap between the 958 and the others? I'm thinking we could show a different message for all cohorts, depending on whether the account has an oauth provider linked or not; something like:

if ${oauth_account_provider):

"Your account, linked through ${oauth_account_provider), does not have a password. We require you to set one as part of our enhanced security measures. This is a proactive step, and does not indicate any security breach. Check your email for a password reset link."

else:

"Welcome back! Since you last logged in, we've upgraded our security systems to better protect your data. This upgrade requires a new password for accounts with older encryption formats, ensuring your account meets our current security standards. This is a proactive step, and does not indicate any security breach. Check your email for a password reset link."

[tomhughes]

There is such a thing as overengineering you know.