[openstreetmap/openstreetmap-website] Drop support for legacy MD5 passwords (PR #7048)

Tom Hughes notifications at github.com
Wed Apr 29 17:59:42 UTC 2026 

This ensures that anybody with an invalid password who tries to login is pointed to the password reset system and then drops support for the legacy MD5 passwords and removes any which remain from the database.

There is some previous discussion at https://github.com/openstreetmap/operations/issues/1006 and having checked the numbers now remain similar - just under 7000 with unsalted MD5 passwords and around 1.4 million with salted MD5 passwords.

Anybody with such a password has not logged in since we stopped using MD5 for new passwords in August 2013 or their password would have been upgraded when they logged in.
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/7048

-- Commit Summary --

  * Drop unused require of securerandom
  * Test login error cases for sessions controller
  * Redirect users with invalid password to the reset flow
  * Drop support for MD5 legacy passwords

-- File Changes --

    M .rubocop_todo.yml (2)
    M app/controllers/sessions_controller.rb (18)
    M app/models/user.rb (43)
    M config/locales/en.yml (1)
    A db/migrate/20260429171618_drop_md5_passwords.rb (10)
    M db/structure.sql (1)
    M lib/password_hash.rb (12)
    M test/controllers/passwords_controller_test.rb (2)
    M test/controllers/sessions_controller_test.rb (31)
    M test/integration/user_creation_test.rb (3)
    M test/lib/password_hash_test.rb (4)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/7048.patchhttps://github.com/openstreetmap/openstreetmap-website/pull/7048.diff
-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/7048
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/7048 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20260429/bbbcf1d4/attachment-0001.htm>

More information about the rails-dev mailing list