You can now log in with your LW1 credentials on LW2

post by habryka (habryka4) · 2018-03-17T05:56:13.310Z · score: 30 (6 votes) · LW · GW · 5 comments

I just finished an update that ported over the old passwords from LW1 while still preserving security (see my previous meta post). We only ported passwords over from sometime in last May, and will run the same import on the new database if the vote completes and we are doing the final transfer, but I figured I would let people know now and tell me of any problems they encounter in the meantime.

The old passwords were hashed with a relatively weak hashing function (SHA1), so I do recommend that people change their passwords after they login with their old accounts. There is also some risk of someone impersonating you if they got access to the old LW1 database (since with the new setup the old password hash is sufficient to allow them to log in), so if you change passwords this problem is also resolved.


Comments sorted by top scores.

comment by Qiaochu_Yuan · 2018-03-21T04:53:32.832Z · score: 6 (1 votes) · LW(p) · GW(p)

Just tried doing this and got "Unknown error."

comment by Raemon · 2018-03-21T04:57:31.812Z · score: 12 (2 votes) · LW(p) · GW(p)

We should make that error say something sensible, but if you've since change your password (which you must have to be using the site lately) the old password will no longer work.

comment by Qiaochu_Yuan · 2018-03-21T05:51:31.852Z · score: 6 (1 votes) · LW(p) · GW(p)

So to confirm, that means it's not possible for someone to impersonate me with access to a hash of my old password?

comment by habryka (habryka4) · 2018-03-21T06:26:25.094Z · score: 12 (2 votes) · LW(p) · GW(p)

Yep, correct. In the moment you ever requested a reset-password email and changed your password, you switched to a new secure password solution (even if you just used the same password).

comment by Davidmanheim · 2018-04-10T00:00:06.395Z · score: 4 (1 votes) · LW(p) · GW(p)

I had the same login for Lesserwrong and lesswrong, and the lesserwrong password seemed to have overridden the lesswrong one.