Password salting

From MoodleDocs
Main pageManaging a Moodle siteSecurityPassword salting
Security

What are password salting and peppering?

Password salting is a way of making password hashing more secure by adding a random string of characters to passwords before their hash is calculated, which makes them harder to reverse.

Password peppering is a secret added to a password at hashing time to increase the security of the hashed password. This value differs from a salt in that it is not stored with the password hash, instead the pepper is kept separate in the config.php file. It must also be kept secret and be hard to guess. Keeping the value separate to the salt and hashed password, meaning if password hashes are compromised, it is much harder to reverse engineer the plain text passwords.

How does Moodle use password salting?

Moodle automatically generates and adds a different salt for each individual user. This is more secure than using a single site-wide configuration variable for the salt.

How does Moodle use password peppering?

Moodle 4.3 onwards introduces password peppers that are configured and managed via the config.php file. A pepper needs to have at least 112 bits of entropy, so the pepper itself cannot be easily brute forced if you have a known password + hash combo.

Once a pepper is set, existing passwords will be updated on next user login. To set peppers for your site, the following setting must be set in config.php: 

      $CFG->passwordpeppers = [
          1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z'
     ];

The 'passwordpeppers' array must be numerically indexed with a positive number. New peppers can be added by adding a new element to the array with a higher numerical index. Upon next login a users password will be rehashed with the new pepper: 

      $CFG->passwordpeppers = [
          1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z',
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$'
      ];

Peppers can not be removed in bulk without resetting all user passwords. However, peppers can be progressively removed by setting the latest pepper to an empty string: 

      $CFG->passwordpeppers = [
          1 => '#GV]NLie|x$H9[$rW%94bXZvJHa%z',
          2 => '#GV]NLie|x$H9[$rW%94bXZvJHa%$',
          3 => ''
      ];
Retrieved from "https://docs.moodle.org/501/en/index.php?title=Password_salting&oldid=153122"
Powered by MediaWiki