Best practice forum (Archived)

What method does Totara use to encrypt user pw's?

 
John Unnever
What method does Totara use to encrypt user pw's?
door John Unnever - Tuesday, 26 July 2016, 12:02 PM
Groep Partners

Hello!  Just a general question that I saw some conflicting information online via moodle searches..   can anyone answer with certainty what method is used to encrypt user passwords in Totara?

 
Permanente link | Antwoord
Dit forumbericht is verwijderd
Tuesday, 26 July 2016, 12:40 PM
De inhoud van dit forumbericht is verwijderd en is niet langer toegankelijk.
 
Permanente link | Ouder tonen | Antwoord
Simon Coggins
Re: What method does Totara use to encrypt user pw's?
door Simon Coggins - Tuesday, 26 July 2016, 13:52 PM
Groep Totara

Hi John,

One small technical point - passwords are one-way hashed not encrypted - the difference being there is no way to "decrypt" them other than comparing a hash of the plain-text password to make sure it matches.

From 2.5 onwards passwords are hashed using the bcrypt algorithm, with a per-user salt and the default PHP cost factor. We use the functions that are built in to PHP (http://php.net/manual/en/ref.password.php) along with a compatibility library to provide support for older versions of PHP in versions that support earlier php versions.

Using Bcrypt for password hashing is considered industry best practice.

Simon

 
Permanente link | Ouder tonen | Antwoord