mahara-contributors team mailing list archive

[François Marier <francois@xxxxxxxxxx>]

Public bug reported:

MD5 is broken, we should switch to something better.

Ideally, we should use PHP 5.3.2's crypt() function
(http://nz.php.net/manual/en/function.crypt.php) with the CRYPT_BLOWFISH
algorithm. Not sure what cost parameter we should use, but ideally a
large number (we should do tests here).

Note that bulk creation of users will be slowed down by using a slow
hash. So perhaps in that case, we should use SHA256. Which means that
Mahara needs to recognize 3 hash formats at least:

- the existing MD5-hashed passwords
- the new Blowfish ones
- the new SHA256 ones

** Affects: mahara
     Importance: Medium
         Status: Triaged


** Tags: password

** Changed in: mahara
       Status: New => Triaged

** Changed in: mahara
   Importance: Undecided => Medium

** Changed in: mahara
    Milestone: None => 1.5.0

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568

Title:
  Stored passwords with a stronger hash algorithm

Status in Mahara ePortfolio:
  Triaged

Bug description:
  MD5 is broken, we should switch to something better.

  Ideally, we should use PHP 5.3.2's crypt() function
  (http://nz.php.net/manual/en/function.crypt.php) with the
  CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
  but ideally a large number (we should do tests here).

  Note that bulk creation of users will be slowed down by using a slow
  hash. So perhaps in that case, we should use SHA256. Which means that
  Mahara needs to recognize 3 hash formats at least:

  - the existing MD5-hashed passwords
  - the new Blowfish ones
  - the new SHA256 ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions