Back
Rehash after first login
I see I can create an md5 user which is great for migrating from legacy systems. But I wonder: will this password be rehashed after the first successful login to something more safe? Or should the client take care of this and if so, how?
TL;DR
In this support thread, the user is asking if the password will be rehashed to something more secure after the first successful login. The solution provided is to prompt the user to enter a one-time password after their first login and then update their password using the `updatePassword` method. Alternatively, the user can reset their password using the password recovery method, which is a two-step process involving the `createRecovery` and `updateRecovery` methods. The thread also mentions that the password will stay encrypted with MD5 in the database along with the hashing method used.
The password will stay encrypted with MD5, as the database will contain the hash + the hashing method.
If you do want to change the password to be hashed with the default argon2 Then you can either:
- Change the user password in a function using the
updatePasswordmethod https://appwrite.io/docs/server/users?sdk=nodejs-default#usersUpdatePassword - Let the user reset is password by using the password recovery method (this is a 2-step process)
So in your use-case you can migrate from the legacy system, and let the user login using their old MD5 password. Then, after the first login you can prompt them to a "one-time" password re-enter.
Now you can send this password to the function and update the user password.
