You can now log in with your LW1 credentials on LW2

by habryka1 min read17th Mar 20185 comments

10

Site Meta
Personal Blog

I just finished an update that ported over the old passwords from LW1 while still preserving security (see my previous meta post). We only ported passwords over from sometime in last May, and will run the same import on the new database if the vote completes and we are doing the final transfer, but I figured I would let people know now and tell me of any problems they encounter in the meantime.

The old passwords were hashed with a relatively weak hashing function (SHA1), so I do recommend that people change their passwords after they login with their old accounts. There is also some risk of someone impersonating you if they got access to the old LW1 database (since with the new setup the old password hash is sufficient to allow them to log in), so if you change passwords this problem is also resolved.

5 comments, sorted by Highlighting new comments since Today at 2:38 AM
New Comment

Just tried doing this and got "Unknown error."

We should make that error say something sensible, but if you've since change your password (which you must have to be using the site lately) the old password will no longer work.

So to confirm, that means it's not possible for someone to impersonate me with access to a hash of my old password?

Yep, correct. In the moment you ever requested a reset-password email and changed your password, you switched to a new secure password solution (even if you just used the same password).

I had the same login for Lesserwrong and lesswrong, and the lesserwrong password seemed to have overridden the lesswrong one.