Changing ELGG default password encryption from md5 -- reverse compatibility issues

I know Elgg is planning to upgrade the password encryption in a release sometime in the near future, but I can't release my site with md5. My site focuses on security and using md5 is  so insecure. I really do not want to release my site using md5, since it goes against my core cryptography beliefs. Upgrading the password code isn't hard-- making it compatible with older accounts is a bit challenging. I will be contributing all the code that I write to update the password and any code I use to the core. The core wants to use blowfish, since it works with every php install 5.3 and up. If anyone wants to work on fixing this issue with me, then I will post the code I have so far.

  • I don't have much knownledge about md5 and security, just the basic, but you've got us intriged now. Where is that code?


  • The elgg code is at engine/lib/users.php . My code to improve their code is right here. They always return md5, but instead I use the hash function and return sha512. I am sure they will say that isn't as secure as blowfish, but that is an area of cryptography  I could easily debate. 

    I replaced all md5 lines and return hash('sha512',$username . $secret); I am not sure if hash will allow the dot.  If it doesn't I will fix that issue.


  • Dangit, I logged in with the wrong twitter ID! I am Ryan Satterfield, but Planet Zuda is my company. I always use my companies twitter ID on elgg. I had no idea I was logged into the wrong account. All comments made above were on the behalf of my company Planet Zuda, LLC.

  • I see...

    We cannot upgrade all passwords directly because we don't have them. We have to wait an user logs in to rehash its password.

    If you don't like the md5, you can do a plugin to have sha512 in your elgg distribution. This will be a begin to have it in the core.

  • We haven't discussed the specifics, but here's a relevant ticket: We will likely use bcrypt and blowfish, since PHP has an internal implementation.

  • See #4665. Simple hashing--even with salting--is not sufficient. bcrypt and PBKDF2 (w/ 5k+ iterations) are the standards here. Phpass is not pretty but is very road-tested in tons of apps and written by a true crypto expert. There are more attractive PHP5.3 ports like zf2/Bcryptrchouinard/phpass, and ircmaxwell/PHP-PasswordLib.

    If we don't want to wait until PHP5.3 core requirements, we should use Phpass with Drupal's changes (their own hash identifier, sha512 instead of md5, bit better salt generation).

  • Perhaps even more important to active networks (before a break-in) is invalidating passwords that are common or of low entropy. I've started a plugin based on this class, which can allow you to specify various password requirements as well as blacklists of passwords that are specifically not allowed.

  • Maravilha.

    Dúvidas sobre configurações:

    1- "Informe o(s) código(s) do(s) país(es) que deseja bloquear, separados por vírgula. (Ex.: BR,US,HK). Para uma lista dos países disponíveis, clique aqui."

    Esse recurso se soma ao recurso da lista que coloquei no .htaccess? Ou é independente?

    2- Você recomenda fortemente usar as API do Stopforumspam E Fassim? Nesse caso, isso dispensaria o uso do recaptcha do Google, que não está servindo para nada?

    3- De uma maneira geral, estou usando a sua configuração padrão no restante. OK? Só Fassim e Stopforumspam é que não sei se usarei ou não. O que você diz?

  • +1 to use Drupal phppass in Elgg 1.9.

    We also should make it pluggable.

  • I agree that we should use phppass, although I disagree that we should wait till 1.9. If someone wants to work on modifying the core to use phppass, well, I'll help out! I'll start looking into it and see how I can implement it. My site already has members. No, it hasn't been "launched", but it has alpha testers. I need to make it so that it is only rehashed once. I am thinking of doing something like this.. if(elgg_is_logged_in && $password == elgg_old_password_encryption() )

    $password = elgg_new_password_encryption();


    What I am proposing is making a function called elgg_old_password_encryption that has the md5 hash that is currently the default password encryption. The elgg_new_password_encryption() function would implement phppass.


Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.