Best practice forum (Archived)

What method does Totara use to encrypt user pw's?

 
Simon Coggins
Re: What method does Totara use to encrypt user pw's?
di Simon Coggins - Tuesday, 26 July 2016, 13:52
Gruppo Totara

Hi John,

One small technical point - passwords are one-way hashed not encrypted - the difference being there is no way to "decrypt" them other than comparing a hash of the plain-text password to make sure it matches.

From 2.5 onwards passwords are hashed using the bcrypt algorithm, with a per-user salt and the default PHP cost factor. We use the functions that are built in to PHP (http://php.net/manual/en/ref.password.php) along with a compatibility library to provide support for older versions of PHP in versions that support earlier php versions.

Using Bcrypt for password hashing is considered industry best practice.

Simon