Project

General

Profile

Actions

Feature #12855

closed

GUI option to select the user password hashing algorithm

Added by Jim Pingle almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

Different scenarios may call for different types of password hashing so it makes sense to give users the choice rather than only having a single default method.

We should offer a choice between at least the following hashes:

  • bcrypt (Default) for higher security
  • SHA-512 with the default number of rounds for compatibility/compliance/performance

Though we could offer a higher number of rounds with SHA512, the number of rounds must be identical when hashing and checking the hash so it is not compatible with hashes made with the default number of rounds. There could maybe be a separate/isolated "high rounds" SHA-512 option but that may be more confusing as it would require treating it as a completely separate hash type with its own uniquely named tag and so on.

We already have code in place to check these hash types, so the necessary changes should be fairly simple:

  • Add a UI element to pick the hash type on system_usermanager_settings.php
  • Add code to check the value of this setting before creating a hash of a user password
  • Ensure the code cleans up other hash types when making a new hash

Related issues

Related to Todo #10298: Use SHA-512 for user password hashesResolvedViktor Gurov02/27/2020

Actions
Related to Bug #12800: Suboptimal Password HashingClosedJim Pingle

Actions
Actions

Also available in: Atom PDF