Skip to main content
Documentation & User Guides | Fotoware

Changes to user password hashing in Fotoware Feature Release 17

  1. Last updated
  2. Save as PDF

With Fotoware Feature Release 17 (Fall 2021 release), we are making changes to user password hashing that will have some practical implications that users should be aware of.

 

  • This improvement makes it more difficult to extract user plain-text passwords from the FotoWeb database, thus protecting user passwords in the event of a site getting compromised.
  • Users keep their original passwords, and no action is required.
  • If a user has not logged in for 6 months or more, and the user last logged in before the update to FR17, then the user's account is temporarily locked, and either the user or an administrator must reset the user's password.
  • Clean installations of FR17 or higher are not affected at all.
  • Downgrading from FR17 to an earlier version of FotoWeb is not supported.


Technical information:
The new algorithm uses PBKDF2-SHA256 with 100000 iterations. The number of iterations may be adjusted in future versions to adapt to faster hardware.
A user's password hash is updated automatically when the user logs in for the first time after the update to FR17.