[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Oct 3 16:21:34 CEST 2013 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #80 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Created attachment 21769
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21769&action=edit
Bug 9611: Change the password hashing algorithm from MD5 to Bcrypt

What this patch aims to accomplish?

 * All new passwords are stored as Bcrypt-hashes
 * For password verification:
     - If the user was created before this patch was applied then use
        MD5 to hash the entered password <-- backwards compatibility
     - If the user was created after this patch was applied then use
       Bcrypt to hash the entered password
 * Any password change made via the staff interface or the OPAC will
   be automatically Bcrypt-hashed; this applies to old users whose
   passwords were stored as MD5 hashes previously

Test plan:
  1) Add new users and check whether their passwords are stored as
     Bcrypt hashes or not.
  2) To test that authentication works for both old as well as new
     users:
       a) Login as an existing user whose password is stored as a
          MD5 hash
       b) Login as an existing user whose password is stored as a
          Bcrypt hash
  3) In the staff interface, change the password of an existing user
     whose password is stored as an MD5 hash
    a) Check the new password is stored as a Bcrypt-hash in the database
    b) Try to login with the new password
  4) In the OPAC, verify that
    a) Old user with old pass can change password, new format
    b) New user with new pass can change password
    c) Old and new user with self-updated pass can login

Whitespace cleanup was contributed by  Bernardo Gonzalez Kriegel.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Signed-off-by: Mason James <mtj at kohaaloha.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list