Using both Blowfish and SHA256 is not ideal as some users will have stronger passwords than others. We probably may use Blowfish as the main method. With regard of bulk user creation, we indeed can use SHA256 for speed, but upon the login of such user, after SHA256 verification, password hash will be replaced with generated Blowfish one. We might force conversion of existing MD5 passwords to Blowfish as well.
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/843568 Title: Stored passwords with a stronger hash algorithm Status in Mahara ePortfolio: Triaged Bug description: MD5 is broken, we should switch to something better. Ideally, we should use PHP 5.3.2's crypt() function (http://nz.php.net/manual/en/function.crypt.php) with the CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use, but ideally a large number (we should do tests here). Note that bulk creation of users will be slowed down by using a slow hash. So perhaps in that case, we should use SHA256. Which means that Mahara needs to recognize 3 hash formats at least: - the existing MD5-hashed passwords - the new Blowfish ones - the new SHA256 ones To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp