Actions

Proposals/Done/Improve Password Storage: Difference between revisions

From Mahara Wiki

< Proposals‎ | Done
(Created page with "This is a brief overview on how to improve the password storage in Mahara. This is only for user passwords stored in the usr table. Currently, these passwords are stored as a s…")
 
 
(4 intermediate revisions by 2 users not shown)
Line 12: Line 12:
The layout this page suggests is:
The layout this page suggests is:


- On login, check whether it is using the new hash technique, if so use that
* Add a database upgrade script that changes all existing password hashs to sha512(newsalt + oldhash)
-- Otherwise, use the old technique and if successful change the password to use the new technique (user doesn't need any input except for initial password to log in, and maybe a small pause). Next time they can use the old technique.
* On login, check whether it is using the new hash technique, if so use that
** Otherwise, try to login using sha512(salt + sha1(salt . password))
** If successful change the password to use the new technique (user doesn't need any input except for initial password to log in, and maybe a small pause). Next time they can use the new technique.


A note about bulk uploads:
A note about bulk uploads:


When uploading a CSV to create users, we don't really want to spend a large amount of time hashing passwords. Because of this I would suggest using the old technique of sha1($salt . $password) for this bulk upload of users.
When uploading a CSV to create users, we don't really want to spend a large amount of time hashing passwords. Because of this I would suggest using the sha512(salt + sha1(salt . password) technique, and on next login this will change.
 
Also, a suggestion was made to use a parameter such as passwordsaltmain like moodle.
 
 
Also see http://docs.moodle.org/20/en/Password_salting

Latest revision as of 17:43, 11 July 2020

This is a brief overview on how to improve the password storage in Mahara.

This is only for user passwords stored in the usr table.

Currently, these passwords are stored as a sha1 of the salt concatenated with the password (PHP sha1($salt . $password)). The salt is generated as $salt = substr(md5(rand(1000000, 9999999)), 2, 8);

A suggestion was made to improve the storage of these passwords by using a stronger algorithm. See https://bugs.launchpad.net/mahara/+bug/843568

The algorithm in question is bcrypt or CRYPT_BLOWFISH (available on PHP 5.3+, and below if it is available on the OS level).

The layout this page suggests is:

  • Add a database upgrade script that changes all existing password hashs to sha512(newsalt + oldhash)
  • On login, check whether it is using the new hash technique, if so use that
    • Otherwise, try to login using sha512(salt + sha1(salt . password))
    • If successful change the password to use the new technique (user doesn't need any input except for initial password to log in, and maybe a small pause). Next time they can use the new technique.

A note about bulk uploads:

When uploading a CSV to create users, we don't really want to spend a large amount of time hashing passwords. Because of this I would suggest using the sha512(salt + sha1(salt . password) technique, and on next login this will change.

Also, a suggestion was made to use a parameter such as passwordsaltmain like moodle.


Also see http://docs.moodle.org/20/en/Password_salting

Retrieved from ‘https://wiki.mahara.org/index.php?title=Proposals/Done/Improve_Password_Storage&oldid=11531