Password salting: Difference between revisions

Latest revision as of 14:26, 21 June 2014

What is password salting?

Password salting is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse.

How does Moodle use password salting?

Prior to Moodle 2.5 there was a single site-wide salt which was used when hashing every user's password. From Moodle 2.5 onwards Moodle automatically generates and adds a different salt for each individual user. This is more secure and means that a site-wide configuration variable for the salt is no longer required for new installations of 2.5 or greater.

Backwards compatibility for site upgrades

Important! If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, you need to keep using it to ensure your existing users can still log in.

Each time a user logs in their password hash will be converted to the new scheme, but it may take a long time before all your users have logged in. Alternatively, if you would like to force all your users to use the new scheme you could force reset all passwords using Bulk user actions.

For more details about the old site-wide salt configuration, see the Moodle 2.4 Password Salt documentation.

Sites running PHP version below 5.3.7

The new password hashing mechanism relies on bcrypt support from PHP which is only normally available in PHP version is 5.3.7 or greater (see note below). If you are using a version of PHP which doesn't properly support bcrypt, Moodle will fall back to the old password hashing scheme, so we recommend that you continue to use a site-wide salt until you are able to upgrade PHP.

Note: While an important fix to PHP's hashing algorithm was added in 5.3.7, some distributions of Linux have backported the fix to bcrypt to earlier versions of PHP. This means that some earlier versions of PHP may still work. To confirm if your PHP supports the new hashing scheme you can use this test.

@@ Line 1: / Line 1: @@
+{{Security}}
 ==What is password salting?==
-Moodle stores passwords as md5 strings. [http://en.wikipedia.org/wiki/Salt_%28cryptography%29 Password salting] adds some random string to passwords before their md5 hash is calculated to make them practically impossible to reverse.
+[http://en.wikipedia.org/wiki/Salt_%28cryptography%29 Password salting] is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse.
-==Enabling password salting==
+==How does Moodle use password salting?==
-To enable password salting, add the following line to your [[Configuration file|config.php file]]:
+Prior to Moodle 2.5 there was a single site-wide salt which was used when hashing every user's password. From Moodle 2.5 onwards Moodle automatically generates and adds a different salt for each individual user. This is more secure and means that a site-wide configuration variable for the salt is no longer required for '''new''' installations of 2.5 or greater.
- $CFG->passwordsaltmain = 'some long random string here with lots of characters';
+==Backwards compatibility for site upgrades==
-You can use the [http://dev.moodle.org/gensalt.php Moodle Salt Generator] to obtain a suitable long random string.
+'''Important!''' If you are upgrading a site from 2.4 or below and you are already using a site-wide salt in your configuration file, '''you need to keep using it to ensure your existing users can still log in'''.
-''Note'': For security reasons the only way to enable password salting is by editing config.php - there is no way to do so in the Moodle interface.
+Each time a user logs in their password hash will be converted to the new scheme, but it may take a long time before all your users have logged in. Alternatively, if you would like to force all your users to use the new scheme you could force reset all passwords using [[Bulk_user_actions|Bulk user actions]].
-==Changing the salt==
+For more details about the old site-wide salt configuration, see the [https://docs.moodle.org/24/en/Password_salting Moodle 2.4 Password Salt documentation].
-If you wish to change the salt, you must add it to config.php as follows:
+==Sites running PHP version below 5.3.7==
- $CFG->passwordsaltalt1 = 'old long random string';
+The new password hashing mechanism relies on bcrypt support from PHP which is only normally available in PHP version is 5.3.7 or greater (see note below). If you are using a version of PHP which doesn't properly support bcrypt, Moodle will fall back to the old password hashing scheme, so we recommend that you continue to use a site-wide salt until you are able to upgrade PHP.
- $CFG->passwordsaltmain = 'new long random string';
-''Warning: If you change the salt and do not include the old one in config.php you will no longer be able to login to your site!''
+Note: While an important fix to PHP's hashing algorithm was added in 5.3.7, some distributions of Linux have backported the fix to bcrypt to earlier versions of PHP. This means that some earlier versions of PHP may still work. To confirm if your PHP supports the new hashing scheme you can use [https://github.com/ircmaxell/password_compat/blob/master/version-test.php this test].
-==Importing users from another site==
+[[cs:Solení hesel]]
+[[de:Kennwortverschlüsselung (Salt)]]
-If you import users from another Moodle site which uses a password salt, you need to add the other site's salt to config.php too.
+[[es:Salado de contraseña]]
+[[fr:Salage de mot de passe]]
-In addition to <code>$CFG->passwordsaltmain</code>, Moodle checks for all salts defined in variables
+[[it:report/security/report_security_check_passwordsaltmain]]
+[[nl:report/security/report_security_check_passwordsaltmain]]
- $CFG->passwordsaltalt1, $CFG->passwordsaltalt2, ...  $CFG->passwordsaltalt20
+[[ja:パスワードSALT]]
+[[ru:Зашумление паролей]]
-[[Category:Security]]

Documentation