Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52283

Deprecation of Salt Option for password_hash() in PHP7

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9.3, 3.0
    • Fix Version/s: 2.9.4, 3.0.1
    • Component/s: General
    • Labels:

      Description

      See https://github.com/tpunt/PHP7-Reference#deprecation-of-salt-option-for-password_hash

      With the introduction of the new password hashing API in PHP 5.5, many began implementing it and generating their own salts. Unfortunately, many of these salts were generated from cryptographically insecure functions like mt_rand(), making the salt far weaker than what would have been generated by default. (Yes, a salt is always used when hashing passwords with this new API!) The option to generate salts have therefore been deprecated to prevent developers from creating insecure salts.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                21/Dec/15