From 4e6f25806e3c9fa4753ce959ef990167796acd32 Mon Sep 17 00:00:00 2001
From: Mattias Andrée <m@maandree.se>
Date: Thu, 14 May 2026 15:55:33 +0200
Subject: Tests and fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mattias Andrée <m@maandree.se>
---
 librecrypt.7 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'librecrypt.7')

diff --git a/librecrypt.7 b/librecrypt.7
index 7c577a4..d576658 100644
--- a/librecrypt.7
+++ b/librecrypt.7
@@ -123,6 +123,22 @@ binary.
 Get encoding alphabet for the last algorithm in a
 chain.
 
+.SH NOTES
+Using
+.BR librecrypt_add_algorithm (3)
+to hash existing password
+hashes should be used as a transitional mitigation strategy
+when replaing an old password hash function. Once the password
+is available in clear text, it should be hashed anew using
+only the new password hash function: this will both increase
+security and reducing login it, allowing for stronger hash
+function configurations. This is especially important if the
+password is actually a key and longer than the old hash. It
+is also a good idea to force password reset, and lock any
+account that hasn't reset its password, because it is
+possibly that the old password hashes has been leaked and it
+will force a fresh hashing even one counts that seldom log in.
+
 .SH SEE ALSO
 .BR crypt (3),
 .BR crypt (5)
-- 
cgit v1.2.3-70-g09d2