Password hashing: Difference between revisions
(Created page with "{{Security}} ==Moodle LMS hashing algorithm== From version 4.3 Moodle LMS uses [https://en.wikipedia.org/wiki/SHA-2 SHA2 - 512] (SHA-512) for hashing uses passwords. See: http...") |
Helen Foster (talk | contribs) m (new features template) |
||
| Line 1: | Line 1: | ||
{{Security}} | {{Security}} | ||
==Moodle LMS hashing algorithm== | ==Moodle LMS hashing algorithm== | ||
From version 4.3 Moodle LMS uses [https://en.wikipedia.org/wiki/SHA-2 SHA2 - 512] (SHA-512) for hashing uses passwords. See: | {{New features}}From version 4.3 Moodle LMS uses [https://en.wikipedia.org/wiki/SHA-2 SHA2 - 512] (SHA-512) for hashing uses passwords. See: MDL-67390 <br/> | ||
SHA-512 is a modern hashing algorithm that is approved by various government agencies and standards: | SHA-512 is a modern hashing algorithm that is approved by various government agencies and standards: | ||
| Line 9: | Line 9: | ||
==Legacy hashing== | ==Legacy hashing== | ||
Up until Moodle | Up until Moodle 2.3 the MD5 hashing alogrithm was used to hash passwords. Between versions 2.3 and 4.2 Moodle used the BCRYPT hashing algorithm. | ||
Between versions 2.3 and and 4.2 users who had a MD5 hashed password were upgraded to the BCRYPT algorithm on login. As of version 4.3 any remaining MD5 passwords in the Moodle instances database (meaning that the user had not logged in since the release of Moodle 2.3) are replaced with a random SHA512 string. Any users that this applies to will need to reset their password to be able to log in. | Between versions 2.3 and and 4.2 users who had a MD5 hashed password were upgraded to the BCRYPT algorithm on login. As of version 4.3 any remaining MD5 passwords in the Moodle instances database (meaning that the user had not logged in since the release of Moodle 2.3) are replaced with a random SHA512 string. Any users that this applies to will need to reset their password to be able to log in. | ||
From Moodle | From Moodle 4.3, users with (the now) legacy password hashe encrypted with the BCRYPT algorithm, will have their hash upgraded to SHA512 when they next login. | ||
Revision as of 08:52, 4 December 2023
Moodle LMS hashing algorithm
New feature
in Moodle 4.4!
From version 4.3 Moodle LMS uses SHA2 - 512 (SHA-512) for hashing uses passwords. See: MDL-67390
SHA-512 is a modern hashing algorithm that is approved by various government agencies and standards:
"The only approved hashing algorithm is Secure Hashing Algorithm 2 (SHA-2)." - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography
"NIST recommends that federal agencies transition away from SHA-1 for all applications as soon as possible. Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1." - https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions
Legacy hashing
Up until Moodle 2.3 the MD5 hashing alogrithm was used to hash passwords. Between versions 2.3 and 4.2 Moodle used the BCRYPT hashing algorithm.
Between versions 2.3 and and 4.2 users who had a MD5 hashed password were upgraded to the BCRYPT algorithm on login. As of version 4.3 any remaining MD5 passwords in the Moodle instances database (meaning that the user had not logged in since the release of Moodle 2.3) are replaced with a random SHA512 string. Any users that this applies to will need to reset their password to be able to log in.
From Moodle 4.3, users with (the now) legacy password hashe encrypted with the BCRYPT algorithm, will have their hash upgraded to SHA512 when they next login.
