Reviewed: https://reviews.mahara.org/855
Committed:
http://gitorious.org/mahara/mahara/commit/5a714bf73796693bf71ffa75fcb89800dc3c0ed3
Submitter: Francois Marier (franc...@catalyst.net.nz)
Branch: master
commit 5a714bf73796693bf71ffa75fcb89800dc3c0ed3
Author: Hugh Davenport <h...@catalyst.net.nz>
Date: Tue Nov 15 12:52:43 2011 +1300
Add a sitewide salt that isn't in the db
This salt is used to add an extra layer of salting that
isn't visible from the database. This requires attackers
to obtain both the database, and the config.php file to
get the true salt value that is passed to crypt.
Bug #843568
See http://docs.moodle.org/20/en/Password_salting
Change-Id: Iaa575a4724e387104f9e436c07b336ef8c7ebef5
Signed-off-by: Hugh Davenport <h...@catalyst.net.nz>
Signed-off-by: Francois Marier <franc...@catalyst.net.nz>
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/843568
Title:
Stored passwords with a stronger hash algorithm
Status in Mahara ePortfolio:
Fix Committed
Bug description:
MD5 is broken, we should switch to something better.
Ideally, we should use PHP 5.3.2's crypt() function
(http://nz.php.net/manual/en/function.crypt.php) with the
CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use,
but ideally a large number (we should do tests here).
Note that bulk creation of users will be slowed down by using a slow
hash. So perhaps in that case, we should use SHA256. Which means that
Mahara needs to recognize 3 hash formats at least:
- the existing MD5-hashed passwords
- the new Blowfish ones
- the new SHA256 ones
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
