Hello! Just a general question that I saw some conflicting information online via moodle searches.. can anyone answer with certainty what method is used to encrypt user passwords in Totara?
Best practice forum (Archived)
What method does Totara use to encrypt user pw's?
What method does Totara use to encrypt user pw's?
Ce message du forum a été supprimé
Le contenu de ce message de forum a été supprimé et n'est plus accessible.
Re: What method does Totara use to encrypt user pw's?
Hi John,
One small technical point - passwords are one-way hashed not encrypted - the difference being there is no way to "decrypt" them other than comparing a hash of the plain-text password to make sure it matches.
From 2.5 onwards passwords are hashed using the bcrypt algorithm, with a per-user salt and the default PHP cost factor. We use the functions that are built in to PHP (http://php.net/manual/en/ref.password.php) along with a compatibility library to provide support for older versions of PHP in versions that support earlier php versions.
Using Bcrypt for password hashing is considered industry best practice.
Simon