Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-36057

Upgrade safety of password hashing method in Moodle core

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.3, 2.4
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Affected Branches:
      MOODLE_23_STABLE, MOODLE_24_STABLE

      Description

      It is 2012 and Moodle is stil using md5 as a hashing algorithm. Even though salt support is added it is now time to follow the latest trends and upgrade this to use followoing scheme:

      • Every password has it's own salt
      • Use CRYPT_BLOWFISH for hashing passwords

      This would imply following changes:

      • Update validate_internal_user_password to use new hash check
      • Update hash_internal_user_password to use new hash method
      • Expand password field in user table to 64 characters since Blowfish produces hash merged with the individual salt.

      With these changes any potential rainbow attak would be seriously crippled, at least for the time being.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              skodak Petr Skoda
              Reporter:
              darko.miletic Darko Miletic
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: