Note: You are currently viewing documentation for Moodle 3.4. Up-to-date documentation for the latest stable version of Moodle is likely available here: Password salting.

Password salting: Difference between revisions

From MoodleDocs
No edit summary
No edit summary
Line 2: Line 2:
==What is password salting?==
==What is password salting?==


[http://en.wikipedia.org/wiki/Salt_%28cryptography%29 Password salting] is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse (the longer the random string, the harder you make it).
[http://en.wikipedia.org/wiki/Salt_%28cryptography%29 Password salting] is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse.


==How does Moodle use password salting?==
==How does Moodle use password salting?==
Line 12: Line 12:
'''Important!''' If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, '''you need to keep using it to ensure your existing users can still log in'''.
'''Important!''' If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, '''you need to keep using it to ensure your existing users can still log in'''.


Each time a user logs in their password hash will be converted to the new system, but it may take a long time before all your users have logged in.
Each time a user logs in their password hash will be converted to the new scheme, but it may take a long time before all your users have logged in.


For more details about the old site-wide salt configuration, see the [https://docs.moodle.org/24/en/Password_salting Moodle 2.4 Password Salt documentation].
For more details about the old site-wide salt configuration, see the [https://docs.moodle.org/24/en/Password_salting Moodle 2.4 Password Salt documentation].

Revision as of 20:26, 13 May 2013

What is password salting?

Password salting is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse.

How does Moodle use password salting?

Prior to Moodle 2.5 there was a single site-wide salt which was used when hashing every user's password. From Moodle 2.5 onward Moodle automatically generates and adds a different salt for each individual user. This is more secure and means that a site-wide configuration variable for the salt is no longer required for new installations of 2.5 or greater.

Backwards compatibility for site upgrades

Important! If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, you need to keep using it to ensure your existing users can still log in.

Each time a user logs in their password hash will be converted to the new scheme, but it may take a long time before all your users have logged in.

For more details about the old site-wide salt configuration, see the Moodle 2.4 Password Salt documentation.

Sites running PHP version below 5.3.7

The new password hashing mechanism is only supported if your PHP version is 5.3.7 or greater. If you are using a lower version of PHP Moodle will fall back to the old password hashing scheme, so we recommend that you continue to use a site-wide salt even for new 2.5 installations until you are able to upgrade PHP.