Comment by account42
Or just if they changed to a more secure hash algorithm themselves and want to upgrade users still on the older insecure one.
Or just if they changed to a more secure hash algorithm themselves and want to upgrade users still on the older insecure one.
Yeah, this is the best practice. We offer that in our product.
But it's possible that you could follow the best practice and still force a reset. This could be because:
* the customer or provider doesn't want to wait for everyone to log in
* they've waited for N months and now there is a block of users who have not logged in yet and they think it is worth the user annoyance to just force them all to reset their password
They could do that by comparing against the old hash and if it matches generate the new hash to store somewhere.
This can be done at login time without the user noticing, as you have the plaintext password for a moment.