Issue 12076

Make sure our passwords are securely saved

Reporter: lfrancke
Assignee: mdoering
Type: Bug
Summary: Make sure our passwords are securely saved
Priority: Critical
Resolution: Fixed
Status: Closed
Created: 2012-10-24 16:28:53.408
Updated: 2013-08-29 14:44:32.764
Resolved: 2013-08-20 11:33:26.776
Description: If I understand correctly we are using basic MD5 hashing at the moment which has been proven to be very insecure.

I'm of the opinion that we _need_ to change this to something more secure before we go live. Using the Drupal 7 default would be perfectly fine in terms of security. It is using SHA512 and (much more important) a salt.]]>

Created: 2012-10-24 16:39:26.46
Updated: 2012-10-24 16:39:26.46
If I remember correctly its based on a standard SHA512, but does a lot of changes to it afterwards, not only using a salt. For example you configure it to recursively rehash it various times and other things. Its encoded here:

Other people have tried the same withut luck it seems:

Even if we mimick that behavior we have to make sure our implementations use the same configurations which also seem to change between drupal versions, so there is no easy drop in replace for drupal code anyway. Plus drupal knows how to deal with different password encodings in case old user accounts exist - also sth that will break our neck with drupal upgrades without manual intervention

Comment: Thanks for providing those links. Then we either need to find a different solution or just get it working anyway.
Created: 2012-10-24 16:41:44.825
Updated: 2012-10-24 16:41:44.825

Comment: We could easily use a standard SHA512 if that makes you feel safer
Created: 2012-10-24 16:42:58.113
Updated: 2012-10-24 16:42:58.113

Comment: If we use a salt, then yes.
Created: 2012-10-24 16:52:23.991
Updated: 2012-10-24 16:52:23.991

Comment: Another article:
Created: 2012-11-21 09:33:07.069
Updated: 2012-11-21 09:33:07.069

Created: 2012-11-26 19:50:29.905
Updated: 2012-11-26 19:50:29.905
A potential java implementation of the drupal hashing:


Comment: we use the native drupal hashing now
Created: 2013-08-20 11:33:26.808
Updated: 2013-08-20 11:33:26.808