Password hashing

From MoodleDocs

Moodle LMS hashing algorithm

New feature
in Moodle 4.3!
From version 4.3 Moodle LMS uses SHA2 - 512 (SHA-512) for hashing uses passwords. See: MDL-67390
SHA-512 is a modern hashing algorithm that is approved by various government agencies and standards:

"The only approved hashing algorithm is Secure Hashing Algorithm 2 (SHA-2)." - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography

"NIST recommends that federal agencies transition away from SHA-1 for all applications as soon as possible. Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1." - https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions

Legacy hashing

Up until Moodle 2.3 the MD5 hashing alogrithm was used to hash passwords. Between versions 2.3 and 4.2 Moodle used the BCRYPT hashing algorithm.

Between versions 2.3 and and 4.2 users who had a MD5 hashed password were upgraded to the BCRYPT algorithm on login. As of version 4.3 any remaining MD5 passwords in the Moodle instances database (meaning that the user had not logged in since the release of Moodle 2.3) are replaced with a random SHA512 string. Any users that this applies to will need to reset their password to be able to log in.

From Moodle 4.3, users with (the now) legacy password hashe encrypted with the BCRYPT algorithm, will have their hash upgraded to SHA512 when they next login.