New installation with old profiles

[tedych]

Hi.
On one server I installed the newest FZ Server version, changed few setting and created one account for me.
The thing is, I want to transfer many accounts from another (very old) FZ Server installation from another server.
I took the old XML file, the new XML file, and opened them both in Notepad++. Then I made a manual "merge" - in the new file I pasted all the "old" users between the <Users> tags, while keeping my "new" account created in the interface just before that.
The old XML format of users doesn't seem to use salts on passwords, and the stored hash is much shorter.
Now in the new file's Users section I have my new "salted" account, and bunch of old accounts without a salt, with shorter hashes for the password.

Is this a problem and is there a way to import those old credentials to the new format with salts? It seems the "old" accounts do work.

[boco]

The old accounts will continue to use the old format (MD5 hash, no salt). If you manually re-apply the password for an old account it will be stored using the new format (salted SHA512). No automatic conversion is available, AFAIK.

Both old and new format passwords do work.

[botg]

Automatic conversion isn't even possible as the password is not available in its original form.

[tedych]

Yes, I thought that too, even in used with the weak MD5, it is a one-way hash.
Good to know both old and new formats can coexist and work together in one installation without issues.

[boco]

MD5 is a broken one-way hash. One can find collisions in mere seconds with a typical PC, these days.

A collision is an alternative string of characters that can be used as password because it produces the same MD5 hash in the end.


Salted SHA512 is standing strong and likely will for a long time.