Best practice forum (Archived)

Does Totara make additional changes to passwords?

 
Simon Coggins
Re: Does Totara make additional changes to passwords?
by Simon Coggins - Thursday, 2 January 2014, 12:28 PM
Group Totara

Hi Liz,

In Moodle 2.5 the way passwords are stored has been changed to make it more secure. In Moodle 2.4 (and Totara 2.4) it is stored as a md5 hash (which looks like: d03004e6c3783948c28b001a38e9a0e0). From Moodle and Totara 2.5 onwards it is stored as a "bcrypt" hash (which looks like: $2y$10$j0RDhHH13wu4iXP73vl6pueNor2K4WSLtE/ZFrbim5E...).

When you upgrade a site to 2.5 or above all new passwords will use the bcrypt format. Existing passwords will stay in the md5 format until the user logins in for the first time after upgrade, at which point the old hash will be converted to the new format.

As long as you use the same sitewide salt you should be able to take "old" md5 hashes and import them to a 2.5+ site and it will still let the user login (at which point it will get converted to the new format).

There is some more details about the process here:

http://docs.moodle.org/25/en/Password_salting

The conversion to the new format was actually written by me/Totara for Moodle so I should be able to help if you have any issues!

Simon