Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
Future Dev
-
None
Description
This is broadly very similar to MDL-36057 where we updated from md5 to password_hash() which uses bcrypt (blowfish), here we want to upgrade from blowfish to something which is more modern and approved by various gov agencies, eg SHA-256, SHA-384, SHA-512:
https://www.cyber.gov.au/ism/guidelines-using-cryptography
Also as part of this we should update the password history tracking in a way that either uses the same more secure hash, or treats this more as a checksum rather than a hash as we only need to look for collisions and a false positive here doesn't matter (unlike a real password check).
https://github.com/moodle/moodle/blob/master/user/lib.php#L1011-L1024
Attachments
Issue Links
- has been marked as being related by
-
MDL-65818 Provide admin setting type for secure data (passwords/tokens)
-
- Closed
-