From 6f458cfba3ad913df5f28ab5f4f41f5f38e9932b Mon Sep 17 00:00:00 2001
From: Tyler Romeo <tylerromeo@gmail.com>
Date: Sun, 27 Jul 2014 15:48:22 -0400
Subject: [PATCH] Changed password default to PBKDF2

Bug: 28419
Change-Id: I096a862c884f6a6adbb381c0fcc70844bf007c63
---
 RELEASE-NOTES-1.24           | 6 ++++++
 includes/DefaultSettings.php | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24
index a417d19537..5e440e3971 100644
--- a/RELEASE-NOTES-1.24
+++ b/RELEASE-NOTES-1.24
@@ -51,6 +51,12 @@ production.
 * $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed.
 * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort
   and $wgRC2UDPPrefix have been removed.
+* The default password type for MediaWiki has been changed from MD5 to PBKDF2.
+  Password hashes will automatically be updated as users log in. If necessary, the
+  old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'. In addition,
+  there is a maintenance script wrapOldPassword.php that can wrap all passwords in
+  PBKDF2 (or the hashing algorithm of your choice) if you don't want to wait for your
+  users to log in.
 
 === New features in 1.24 ===
 * Added a new hook, "WhatLinksHereProps", to allow extensions to annotate
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 7829710f75..304a75fff2 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4098,7 +4098,7 @@ $wgInvalidPasswordReset = true;
  *
  * @since 1.24
  */
-$wgPasswordDefault = 'B';
+$wgPasswordDefault = 'pbkdf2';
 
 /**
  * Configuration for built-in password types. Maps the password type
-- 
2.20.1