Note: You are currently viewing documentation for Moodle 3.7. Up-to-date documentation for the latest stable version of Moodle may be available here: Password salting.

Password salting

From MoodleDocs
Revision as of 20:40, 17 November 2009 by Helen Foster (talk | contribs) (content copied from Configuration file)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

What is password salting?

Moodle stores passwords as md5 strings. Password salting adds some random string to passwords before their md5 hash is calculated to make them practically impossible to reverse.

Enabling password salting

To enable password salting, add the following line to your config.php file: 

$CFG->passwordsaltmain = 'some long random string here with lots of characters';

You can use the Moodle Salt Generator to obtain a suitable long random string.

Note: For security reasons the only way to enable password salting is by editing config.php - there is no way to do so in the Moodle interface.

Changing the salt

If you wish to change the salt, you must add it to config.php as follows: 

$CFG->passwordsaltalt1 = 'old long random string';
$CFG->passwordsaltmain = 'new long random string';

Warning: If you change the salt and do not include the old one in config.php you will no longer be able to login to your site!

Importing users from another site

If you import users from another Moodle site which uses a password salt, you need to add the other site's salt to config.php too.

In addition to $CFG->passwordsaltmain, Moodle checks for all salts defined in variables 

$CFG->passwordsaltalt1, $CFG->passwordsaltalt2, ...  $CFG->passwordsaltalt20
Retrieved from "https://docs.moodle.org/37/en/index.php?title=Password_salting&oldid=65334"
Powered by MediaWiki