Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.1.8, 2.2.5, 2.3, 2.4
-
Fix Version/s: 2.5
-
Component/s: Authentication
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
-
Fixed Branches:MOODLE_25_STABLE
-
Pull from Repository:
-
Pull Master Branch:master_
MDL-35332 -
Pull Master Diff URL:
Description
Currently moodle uses md5 for password hashing and a site-wide salt when hashing passwords. It's generally considered best practice to use a modern hashing algorithm like Bcrypt for password hashing, and to have per-user salts - e.g:
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Rule_1:_Use_a_Modern_Hash_Algorithm
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Rule_2:_Use_a_Long_Cryptographically_Random_Per-User_Salt
Bcrypt is now available natively in PHP5.3 via the crypt() function. I thought I'd create this bug to gauge interest and perhaps kick off some work to implement this.
Obviously this would need to be implemented in a backward compatible way. I would suggest something like:
1. Add 'password_hash' and 'salt' columns to user table, initially set to null
2. Add code to authenticate using bcrypt or similar (ideally using an existing library)
3. Update code for creating users to use new method
4. When a user logs in check if 'password_hash' is null
4a. If null authenticate using md5 and password column then calculate new hash with salt and store in db
4b. If not null authenticate using bcrypt and new data
This would gradually migrate existing sites to the new algorithm (as users login) while allowing new sites to use bcrypt exclusively. For sites that want to migrate fully, the administrator could reset all 'old' passwords.
There are bound to be some edge cases that will need to be considered, such as 'changeme' passwords, other authentication plugins, etc. I would appreciate any thoughts from anyone more familiar with moodle authentication.
Simon
Attachments
Issue Links
- has a non-specific relationship to
-
MDL-38102 New password hashing method fails
-
- Closed
-
-
MDL-37963 Testing generator should not call hashing function when not necessary
-
- Closed
-
-
MDL-37033 Decide Moodle 2.5 requirements and push them to environment.xml
-
- Closed
-
- has been marked as being related by
-
MDL-37320 MD5 Codification for Passwords and Sessions Folder
-
- Closed
-
- is duplicated by
-
MDL-36057 Upgrade safety of password hashing method in Moodle core
-
- Closed
-