Users moving from the old Hackage
This new Hackage implementation uses a somewhat more secure system for logging in. Because of this change, users who had accounts on the old system need to do a one-time upgrade step.
Note that if the upgrade is successful then the old auth information will be deleted and trying to upgrade again will fail.
Technical details for the curious
The old hackage implementation used HTTP basic authentication. The new system uses HTTP digest authentication.
We could not transparently upgrade accounts to the new system because the password hash format is different for the new system. The old format was the Apache basic auth 'CRYPT' format, while the new format is equivalent to the Apache digest authentication format. It is not possible to generate the new format without access to the plaintext password – which was never stored. So by authenticating once using the old account information – using HTTP basic authentication – we can generate and store password digest for the new system.