Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-79134

Backup: Deprecate MD5 for included user passwords

    XMLWordPrintable

Details

    • MOODLE_403_STABLE
    • MOODLE_403_STABLE
    • master_MDL-79134
    • Hide

      The test procedure for this patches requires restoring the provided course backup and the ability to directly check values in the user table of the Moodle database.

      The backup contains 4 users all with the last name "password". 3 of the users have a md5 hashed password in the backup file and 1 of the users has an SHA512 hashed password. Upon restore the 3 users with MD5 should have their passwords upgraded to SHA512 ones, the 1 user who already has a SHA512 password should have no changes.

      1. Log into Moodle as an admin, if your username for admin account is named as admin, make sure you change it something else so that there is conflict betweek the restored users from the backup file and your admin user
      2. Navigate to "Browse list of users", `Site Administration  > Users > Browse list of users`
      3. Add a filter for `Last name contains "password"`
      4. Note how many users (if any) have the last name password.
      5. Restore the attached Moodle course backup into the Moodle instance
      6. Navigate to the course and confirm It has been restored and there are 4 enrolled users with the last name of"password", plus the user that performed the restore.
      7. Navigate to "Browse list of users", `Site Administration  > Users > Browse list of users`
      8. Confirm that the four users are now present in the list of site users.

       

      After the previous test is complete and before changing anything else in the Moodle instance:

      1. Access the Moodle database and check the password hashes stored in the Moodle user table for the 4 restored users. For example by using this query: `select id,username,password from m_user where lastname = 'password';`
      2. Confirm each of the 4 users do not have an MD5 hashed passwords and their passwords start with: $6$rounds=10000$
      3. Confirm the user with username: goodpassword1 has the following password for their hash (as this should not have been changed by the backup): $6$rounds=10000$BUINo7v7d/aEIkQ.$SxLHRGc5jN7FU9Gf.fVdSCnmiU0szCUeolihCTp2VkOyi38pKc6Npjw/VaTd6kMyuHY7qtzk3WTkLSz255Smu1

      Finally lets check that the user with the unaltered password can log in, but the others can not.

      1. Try logging into Moodle with the username: goodpassword1 and the password: nhy6^YHN
      2. Confirm that the user can login
      3. Try logging into Moodle with the username: badpassword1 and the password: mju7&UJM
      4. Confirm that the user can NOT login

       

      Show
      The test procedure for this patches requires restoring the provided course backup and the ability to directly check values in the user table of the Moodle database. The backup contains 4 users all with the last name "password". 3 of the users have a md5 hashed password in the backup file and 1 of the users has an SHA512 hashed password. Upon restore the 3 users with MD5 should have their passwords upgraded to SHA512 ones, the 1 user who already has a SHA512 password should have no changes. Log into Moodle as an admin, if your username for admin account is named as admin, make sure you change it something else so that there is conflict betweek the restored users from the backup file and your admin user Navigate to "Browse list of users", `Site Administration  > Users > Browse list of users` Add a filter for `Last name contains "password"` Note how many users (if any) have the last name password. Restore the attached Moodle course backup into the Moodle instance Navigate to the course and confirm It has been restored and there are 4 enrolled users with the last name of"password", plus the user that performed the restore. Navigate to "Browse list of users", `Site Administration  > Users > Browse list of users` Confirm that the four users are now present in the list of site users.   After the previous test is complete and before changing anything else in the Moodle instance: Access the Moodle database and check the password hashes stored in the Moodle user table for the 4 restored users. For example by using this query: `select id,username,password from m_user where lastname = 'password';` Confirm each of the 4 users do not have an MD5 hashed passwords and their passwords start with: $6$rounds=10000$ Confirm the user with username: goodpassword1 has the following password for their hash (as this should not have been changed by the backup): $6$rounds=10000$BUINo7v7d/aEIkQ.$SxLHRGc5jN7FU9Gf.fVdSCnmiU0szCUeolihCTp2VkOyi38pKc6Npjw/VaTd6kMyuHY7qtzk3WTkLSz255Smu1 Finally lets check that the user with the unaltered password can log in, but the others can not. Try logging into Moodle with the username: goodpassword1 and the password: nhy6^YHN Confirm that the user can login Try logging into Moodle with the username: badpassword1 and the password: mju7&UJM Confirm that the user can NOT login  
    • 1
    • Team Hedgehog 2023 Sprint 3.1
    • Small

    Description

      MDL-67390 introduces updated password hashing to use SHA-512 algorithm. As part of the upgrade step in this issue any remaining md5 hashes in the Moodle database are replaced with a randomly generated SHA-512 has.

      However, by setting the $CFG->includeuserpasswordsinbackup someone could have a (very) legacy backup file containing an md5 password. Restoring this backup would introduce md5 hashes back into the database.

      Because these users won't be able to login unless they reset their password anyway, we should protect against md5 hashes being added to the DB.

      Attachments

        Issue Links

          Activity

            People

              matt.porritt@moodle.com Matt Porritt
              matt.porritt@moodle.com Matt Porritt
              Safat Shahin Safat Shahin
              Andrew Lyons Andrew Lyons
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.