[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Feb 19 05:36:48 CET 2013 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

Mason James <mtj at kohaaloha.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #15517|0                           |1
        is obsolete|                            |

--- Comment #24 from Mason James <mtj at kohaaloha.com> ---
Created attachment 15518
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=15518&action=edit
Bug 9611 - Changing the hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes

 * For password verification:

     - If the user was created before this patch was applied then use MD5 to
hash the entered password <-- backwards compatibility

     - If the user was created after this patch was applied then use Bcrypt to
hash the entered password

 * Any password change will be automatically Bcrypt-hashed, this applies to old
members whose passwords were stored as MD5 hashes previously

Test plan:

  1) Add new users and check whether their passwords are stored as Bcrypt
hashes or not

  2) To test that authentication works for both old as well as new members

       a) Login as an existing user whose password is stored as a MD5 hash

       b) Login as an existing user whose password is stored as a Bcrypt hash

  3) Change the password of an existing member whose password is stored as an
MD5 hash

    a) Check the new password is stored as a Bcrypt-hash in the database

    b) Try to login with the new password

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>

Comment: Work as described. Small tabulation errors fixed in followup.

Test with patches 1-3 applied, run updatedatabase
1) Old user can login
2) New user can login
3) User with updated password can login
4) Inspection of DB shows different passwords length
Signed-off-by: Mason James <mtj at kohaaloha.com>

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list