mahara-contributors team mailing list archive

Thread
Date

[Bug 843568] Re: Stored passwords with a stronger hash algorithm

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Hugh Davenport <843568@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Nov 2011 02:28:39 -0000
Reply-to: Bug 843568 <843568@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

See
https://wiki.mahara.org/index.php/Developer_Area/Specifications_in_Development/Improve_Password_Storage

This depends on bug 890045

** Changed in: mahara
     Assignee: (unassigned) => Hugh Davenport (hugh-catalyst)

** Changed in: mahara
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568

Title:
  Stored passwords with a stronger hash algorithm

Status in Mahara ePortfolio:
  In Progress

Bug description:
  MD5 is broken, we should switch to something better.

  Ideally, we should use PHP 5.3.2's crypt() function
  (http://nz.php.net/manual/en/function.crypt.php) with the
  CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
  but ideally a large number (we should do tests here).

  Note that bulk creation of users will be slowed down by using a slow
  hash. So perhaps in that case, we should use SHA256. Which means that
  Mahara needs to recognize 3 hash formats at least:

  - the existing MD5-hashed passwords
  - the new Blowfish ones
  - the new SHA256 ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions

References

[Bug 843568] [NEW] Stored passwords with a stronger hash algorithm
From: François Marier, 2011-09-07