Affects Version/s: None
Fix Version/s: v2.8.0
Currently Unity can be configured to keep previous passwords. Those are never rehashed. Two changes are needed to improve security in case of compromised passwords database:
- Whenever hashing policy is changed, all historical passwords with other settings must be removed. This should be done when changing password settings.
- Whenever history length is changed, all historical entries which are above the new threshold must be removed immediately.
The changes also require migration, to remove excess or wrongly hashed historical hashes.