Kennwortverschlüsselung (Salt)
Diese Seite muss überarbeitet werden, weil sie neue Funktionalitäten enthält. Greif zu!
Wenn du dich um diesen Artikel kümmern willst, dann kennzeichne das, indem du die Vorlage {{ÜberarbeitenNeu}} durch die Vorlage {{ÜberarbeitenVergeben}} ersetzt.
Wenn du mit deiner Arbeit fertig bist, dann entferne die Vorlage aus dem Artikel.
Danke für deine Mitarbeit!
Was bedeutet Passwort-Salting und Passwort-Peppering?
Passwort-Salting ist eine Methode, um Passwort-Hashes sicherer zu machen. Dabei wird eine zufällige Zeichenkette an das Passwort angehängt, bevor der Hash berechnet wird. Das macht es schwieriger, das Passwort zu entschlüsseln.
Passwort-Peppering ist ein Schlüssel, der zum Zeitpunkt der Hash-Berechnung an das Passwort angehängt wird, um die Sicherheit des Passwort-Hashes zu erhöhen. So ein Schlüssel unterscheidet sich von einem Salt dadurch, dass er nicht mit dem Passwort-Hash gespeichert wird. Stattdessen wird der Pepper separat in der Moodle-Konfigurationsdatei config.php. Er muss geheim gehalten werden und schwer zu erraten sein. Wenn der Schlüssel separat vom Salt und Passwort-Hash gespeichert wird, ist es schwieriger, die Passwörter zu entschlüsseln, selbst wenn der Passwort-Hash kompromittiert wurde.
How does Moodle use password salting?
Prior to Moodle 2.5 there was a single site-wide salt which was used when hashing every user's password. From Moodle 2.5 onwards Moodle automatically generates and adds a different salt for each individual user. This is more secure and means that a site-wide configuration variable for the salt is no longer required for new installations of 2.5 or greater.
How does Moodle use password peppering?
Vorlage:New featuresMoodle 4.3 introduces password peppers that are configured and managed via the config.php file. A pepper needs to have at least 112 bits of entropy, so the pepper itself cannot be easily brute forced if you have a known password + hash combo.
Once a pepper is set, existing passwords will be updated on next user login. To set peppers for your site, the following setting must be set in config.php:
$CFG->passwordpeppers = [
1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z'
];
The 'passwordpeppers' array must be numerically indexed with a positive number. New peppers can be added by adding a new element to the array with a higher numerical index. Upon next login a users password will be rehashed with the new pepper:
$CFG->passwordpeppers = [
1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z',
2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$'
];
Peppers can not be removed in bulk without resetting all user passwords. However, peppers can be progressively removed by setting the latest pepper to an empty string:
$CFG->passwordpeppers = [
1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z',
2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$',
3 => ''
];
Backwards compatibility for site upgrades
Important! If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, you need to keep using it to ensure your existing users can still log in.
Each time a user logs in their password hash will be converted to the new scheme, but it may take a long time before all your users have logged in. Alternatively, if you would like to force all your users to use the new scheme you could force reset all passwords using Bulk user actions.
For more details about the old site-wide salt configuration, see the Moodle 2.4 Password Salt documentation.
Sites running PHP version below 5.3.7
The new password hashing mechanism relies on bcrypt support from PHP which is only normally available in PHP version is 5.3.7 or greater (see note below). If you are using a version of PHP which doesn't properly support bcrypt, Moodle will fall back to the old password hashing scheme, so we recommend that you continue to use a site-wide salt until you are able to upgrade PHP.
Note: While an important fix to PHP's hashing algorithm was added in 5.3.7, some distributions of Linux have backported the fix to bcrypt to earlier versions of PHP. This means that some earlier versions of PHP may still work. To confirm if your PHP supports the new hashing scheme you can use this test.
