mahara-contributors team mailing list archive

[Mahara Bot <843568@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/855
Committed: http://gitorious.org/mahara/mahara/commit/5a714bf73796693bf71ffa75fcb89800dc3c0ed3
Submitter: Francois Marier (francois@xxxxxxxxxxxxxxx)
Branch:    master

commit 5a714bf73796693bf71ffa75fcb89800dc3c0ed3
Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
Date:   Tue Nov 15 12:52:43 2011 +1300

    Add a sitewide salt that isn't in the db
    
    This salt is used to add an extra layer of salting that
    isn't visible from the database. This requires attackers
    to obtain both the database, and the config.php file to
    get the true salt value that is passed to crypt.
    
    Bug #843568
    
    See http://docs.moodle.org/20/en/Password_salting
    
    Change-Id: Iaa575a4724e387104f9e436c07b336ef8c7ebef5
    Signed-off-by: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
    Signed-off-by: Francois Marier <francois@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568

Title:
  Stored passwords with a stronger hash algorithm

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  MD5 is broken, we should switch to something better.

  Ideally, we should use PHP 5.3.2's crypt() function
  (http://nz.php.net/manual/en/function.crypt.php) with the
  CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
  but ideally a large number (we should do tests here).

  Note that bulk creation of users will be slowed down by using a slow
  hash. So perhaps in that case, we should use SHA256. Which means that
  Mahara needs to recognize 3 hash formats at least:

  - the existing MD5-hashed passwords
  - the new Blowfish ones
  - the new SHA256 ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions