Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67390

Update password hashing to something more secure eg SHA-256

    XMLWordPrintable

    Details

      Description

      This is broadly very similar to MDL-36057 where we updated from md5 to password_hash() which uses bcrypt (blowfish), here we want to upgrade from blowfish to something which is more modern and approved by various gov agencies, eg SHA-256, SHA-384, SHA-512:

      https://www.cyber.gov.au/ism/guidelines-using-cryptography

       

       

      Also as part of this we should update the password history tracking in a way that either uses the same more secure hash, or treats this more as a checksum rather than a hash as we only need to look for collisions and a false positive here doesn't matter (unlike a real password check).

      https://github.com/moodle/moodle/blob/master/user/lib.php#L1011-L1024

       

        Attachments

          Issue Links

          has been marked as being related by

          Improvement - An enhancement to an existing Moodle feature. MDL-65818 Provide admin setting type for secure data (passwords/tokens)

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              peterburnett Peter Burnett
              Reporter:
              brendanheywood Brendan Heywood
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: