dhis2-devs-core team mailing list archive

[Halvdan Grelland <halvdanhg@xxxxxxxxx>]

Starting in release 2.21 we have completely dropped support for MD5 hashed
passwords in DHIS2. This means that any user which has not logged in on a
2.17 or later instance will have to reset their password (or have the
administrator deal with it).

For anyone doing maintenance of DHIS2: we now store passwords as a bcrypt
hash with embedded salt, using the $2a$ profile of bcrypt with a default
round count of 10. If you for some reason need to generate passwords
externally (I know this has been done using the dhispassword tool that Bob
wrote) there are implementations for pretty much any scripting environment.
Python example:

import bcrypt
hash = bcrypt.hashpw("thepassword",bcrypt.gensalt(10,prefix=b"$2a"))

Thanks!