The Mozilla Secure Coding Guidelines suggest an interesting migration procedure:
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Password_Storage -- You received this bug notification because you are a member of Mahara Core, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/843568 Title: Stored passwords with a stronger hash algorithm Status in Mahara ePortfolio: Triaged Bug description: MD5 is broken, we should switch to something better. Ideally, we should use PHP 5.3.2's crypt() function (http://nz.php.net/manual/en/function.crypt.php) with the CRYPT_BLOWFISH algorithm. Not sure what cost parameter we should use, but ideally a large number (we should do tests here). Note that bulk creation of users will be slowed down by using a slow hash. So perhaps in that case, we should use SHA256. Which means that Mahara needs to recognize 3 hash formats at least: - the existing MD5-hashed passwords - the new Blowfish ones - the new SHA256 ones To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/843568/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-core Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-core More help : https://help.launchpad.net/ListHelp
