mahara-contributors team mailing list archive

[Mahara Bot <843568@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/854
Committed: http://gitorious.org/mahara/mahara/commit/75ff6aae2212f9b5988faad46a3e3c6cc6540e3c
Submitter: Francois Marier (francois@xxxxxxxxxxxxxxx)
Branch:    master

commit 75ff6aae2212f9b5988faad46a3e3c6cc6540e3c
Author: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>
Date:   Mon Nov 14 17:58:05 2011 +1300

    Change internal password algorithm to bcrypt
    
    This changes the internal authentication plugin to use
    bcrypt instead of sha1.
    
    It also introduces a fast hash (SHA512) for bulk operations.
    This hash is updated on user login to the bcrypt hash.
    
    Bug #843568
    
    See https://wiki.mahara.org/index.php/Developer_Area/Specifications_in_Development/Improve_Password_Storage
    
    Change-Id: Ibf2f71bb5b5a5279dbc16ccda781ad99e81c59b8
    Signed-off-by: Hugh Davenport <hugh@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568

Title:
  Stored passwords with a stronger hash algorithm

Status in Mahara ePortfolio:
  Fix Committed

Bug description:
  MD5 is broken, we should switch to something better.

  Ideally, we should use PHP 5.3.2's crypt() function
  (http://nz.php.net/manual/en/function.crypt.php) with the
  CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
  but ideally a large number (we should do tests here).

  Note that bulk creation of users will be slowed down by using a slow
  hash. So perhaps in that case, we should use SHA256. Which means that
  Mahara needs to recognize 3 hash formats at least:

  - the existing MD5-hashed passwords
  - the new Blowfish ones
  - the new SHA256 ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions