Improve security of hashed passwords

While testing you might want to run a query on the database to look at the format of the password field: > SELECT id, username, password FROM mdl_user; id username password 3 testuser b0c1805f9b6435abbf6c2d3fe81ecb36 if the password is of the form: b0c1805f9b6435abbf6c2d3fe81ecb36 then it's the old-style md5 hash. If it looks more like: $2y$10$DzO4FuCYRFnx1wyiYiOI8udJA8yrALCYFnMyFOfX.ZbNLo6.VtV/y then it is in the new (bcrypt) format Test functionality with PHP version that supports bcrypt (typically PHP 5.3.7 or above) Hashes updated on first login following upgrade Install a site without the patch applied Create some users with known passwords Upgrade site to include patch Login as some of the users (they should still be able to login) Log out and log back in again (they should still be able to login) Try to login as a user with the wrong password (should not be able to login) DB checks: After step 2 - old style hash After step 3 - same as step 2 After step 4 - new style hash After step 5 - same as step 4 e.g. the hash changes once when the user first successfully logs in New users created by admin Install a new site with the patch installed Create some users with known passwords Login as some of the users (they should be able to login) DB checks: password should always be the new format Self registration Create a site with patch applied As admin enable self-registration via Site Admin > Plugins > Authentication > Manage Authentication > Self registration Logout Create a user account (note: mail must be working on your site to test this) Test you can login with the password you provided DB checks: password should always be the new format Password change Create a site with patch applied Login as any user Click My Profile Settings > Change password and enter a new password Logout Check that you can login again with the new password DB checks: password should always be the new format Note: You will get a PHP Notice when changing passwords due to MDL-37515 . Bulk upload with passwords specified Create a text file containing the following: firstname,lastname,username,email,password Test,User,testuser,test@example.com,abc123 As an admin visit Site Admin > Users > Accounts > Upload Users Choose the file you created in step 1 and click upload users Under 'New user password' choose 'Field required in file' Click upload users Test user should be created Logout Login with testuser and password abc123 You should be able to login Logout and log back in again DB checks: After step 5 - new hash starting '$2y$04$' After step 8 - new style hash starting '$2y$10$' After step 10 - same as step 8 Bulk upload with passwords not specified Create a text file containing the following: firstname,lastname,username,email Test,User2,testuser2,test2@example.com As an admin visit Site Admin > Users > Accounts > Upload Users Choose the file you created in step 1 and click upload users Under 'New user password' choose 'Create password if needed' Click upload users Test user should be created Run the cron Check email, you should have received an email with a temporary password (note: mail must be working on your site to test this) Logout Login with testuser and password from the email You should be able to login. You will be prompted to change the password Change the password Logout and log back in again with the new password You should be able to log in DB checks: After step 5 - 'to be generated' After step 7 - new style hash starting '$2y$04$' After step 9 - new style hash starting '$2y$10$' After step 11 - same as step 9 Test forgotten password functionality Create a new site with the patch applied Visit the login page (not logged in) Click "Forgotten your username or password?" Enter an existing username or password that you have access to the email of Click the confirmation link in your email Check your email again to get the new password Check you can login with the new password DB checks: After step 1 - new style hash After step 5 - new style hash, but different to before After step 7 - same as step 5 Account access via non-caching auth plugin Create a new site with the patch applied Add the attached test auth plugin to auth/test/ Visit the notification page to install Go to Site admin > Plugins > Authentication > Manage Authentication Plugins Enable the plugin Create a new user, assigning them the 'test auth' authentication type Logout Login as the test user (any password will work) The password should not be stored in the user table Logout and log back in as admin Change the users auth method to manual and set a password Logout and login as that user checking the password works Log back in as admin and switch back to the test auth plugin Log back in as the user with the same password Logout and back in as the user with a different password DB checks: After step 6 - 'not cached' After step 8 - same as step 6 After step 11 - new style hash After step 14 - same as step 11 After step 15 - 'not cached' Test functionality with PHP version that doesn't support bcrypt (typically 5.3.6 or below) Repeat the tests above making sure everything works - should continue to function as before but using only the old algorithm (md5) Note: Some distributions have backported bcrypt support to releases prior to 5.3.7.