In September 2019, Vanilla changed the URLs of their default avatar addon known as Vanillicons. If you never uploaded a photo for your avatar you may have noticed that it changed to something else all of a sudden.
What Did We Change?
Previously, vanillicons were generated using an MD5 hash of users' email addresses. This is the same methodology as the ubiquitous Gravatar service, and is indeed the reason why we originally chose MD5. This was switched to a truncated SHA1 hash which results in a different avatar.
Why Did We Change To SHA1?
We switched from MD5 to SHA1 mainly for one reason: security. The MD5 hash algorithm is susceptible to guessing by using a technique called rainbow tables. The vulnerability in MD5 has been known throughout the industry for some time. In the past we considered the vulnerability with respect to our cute little avatars to be acceptable so we continued to use it for Vanillicons. By the CVSS calculator this vulnerability is classified as low severity.
More recently, we've taken a more absolute approach to security. Because of this we decided to make the switch to SHA1.
I Want My Old Vanillicon Back!
We originally conceived of Vanillicon as a fun little way to replace the boring old grey default avatars. We wanted the community to still look colorful and lively, even if users didn't upload their own avatars.
Little did we know that some of you would become attached to your Vanillicons and not want to change them at all. We understand that having your beloved, unique Vanillicon all of sudden change out from underneath you might be frustrating. That's why we wanted to be as transparent as possible with our reasoning for the change. We're hoping that you'll read this article and understand why we did what we did and try and accept your new avatar.