Best practice forum (Archived)

What method does Totara use to encrypt user pw's?

 
John Unnever
What method does Totara use to encrypt user pw's?
by John Unnever - Tuesday, 26 July 2016, 12:02 PM
Group Partners

Hello!  Just a general question that I saw some conflicting information online via moodle searches..   can anyone answer with certainty what method is used to encrypt user passwords in Totara?

 
Permalink | Reply
This forum post has been removed
Tuesday, 26 July 2016, 12:40 PM
The content of this forum post has been removed and can no longer be accessed.
 
Permalink | Show parent | Reply
Simon Coggins
Re: What method does Totara use to encrypt user pw's?
by Simon Coggins - Tuesday, 26 July 2016, 1:52 PM
Group Totara

Hi John,

One small technical point - passwords are one-way hashed not encrypted - the difference being there is no way to "decrypt" them other than comparing a hash of the plain-text password to make sure it matches.

From 2.5 onwards passwords are hashed using the bcrypt algorithm, with a per-user salt and the default PHP cost factor. We use the functions that are built in to PHP (http://php.net/manual/en/ref.password.php) along with a compatibility library to provide support for older versions of PHP in versions that support earlier php versions.

Using Bcrypt for password hashing is considered industry best practice.

Simon

 
Permalink | Show parent | Reply