mahara-contributors team mailing list archive

Thread
Date

[Bug 843568] Re: Stored passwords with a stronger hash algorithm

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Mon, 20 Feb 2012 23:39:54 -0000
Reply-to: Bug 843568 <843568@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568

Title:
  Stored passwords with a stronger hash algorithm

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  MD5 is broken, we should switch to something better.

  Ideally, we should use PHP 5.3.2's crypt() function
  (http://nz.php.net/manual/en/function.crypt.php) with the
  CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
  but ideally a large number (we should do tests here).

  Note that bulk creation of users will be slowed down by using a slow
  hash. So perhaps in that case, we should use SHA256. Which means that
  Mahara needs to recognize 3 hash formats at least:

  - the existing MD5-hashed passwords
  - the new Blowfish ones
  - the new SHA256 ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions

References

[Bug 843568] [NEW] Stored passwords with a stronger hash algorithm
From: François Marier, 2011-09-07