Feature Wiki

Information about planned and released features

Tabs

Abandon MD5 Password Encryption

Page Overview

[Hide]

1 Requirements
2 Additional Information
3 Discussion
4 Implementation

The feature has been removed for ILIAS 5.2.x, 5.1.x, and 5.0.x.

1 Requirements

Current Situation:

The password of ILIAS is stored as a MD5 hashed string in the database. This is not state of the art and not recommended by the PHP documentation.

Proposal:

Abandon md5 passwod encoding and switch EXISTING installations to bcrypt.

For ILIAS >= 5.0.x the default password encoder for user account passwords has to be switched to bcrypt. The password settings step in the setup will be removed. User passwords still hashed with MD5 will be migrated on successful login. It will not be possible anymore to use MD5 as passsword type in user imports (GUI, SOAP, ...).

Optional: For ILIAS 5.2.x we suggest to implement a new password encoder using the PHP native password hashing API, replacing the current bcrypt implementation.

2 Additional Information

Idea / concept: Kiegel, Colin [kiegel]
Interest in funding: ILIAS-Verein
Maintainer: Jansen, Michael [mjansen]
Implementation of the feature is done by Jansen, Michael [mjansen]
Testcases not needed

3 Discussion

Kiegel, Colin [kiegel], 2016-07-04: Mantis #18585: abandon insecure md5 password encoding

JourFixe, ILIAS [jourfixe], JUL 25, 2016: We highly appreciate to abandon MD5 encryption for 5.2 as well as for 5.0 and 5.1.

[tmueller@databay.de], Aug 09, 2016: Our customer use still the opportunity to import user via an Excel export. So for this, there is no way to import without using plain text password.

JourFixe, ILIAS [jourfixe], August 15, 2016: We do not want to re-introduce MD5 for security reasons (MD5 hashed passwords are basically plain text). For 5.1 we suggest to not include passwords in XLS-import files. With 5.2 it would be possible to generate a password with Bcrypt if the import script implements the same algorithms as ILIAS and knows the ILIAS secret.

4 Implementation

We switched the default password encoder to bcrypt. For ILIAS < 5.2.x we used an own bcrypt wrapper (internally using http://php.net/manual/en/function.crypt.php). ILIAS 5.2.x makes use of the native PHP password hashing API (http://php.net/manual/en/book.password.php). Existing MD5 hashed passwords will be migrated to a bcrypt hash after successfull authentication.

It will not be possible to import MD5 hashed passwords anymore. Passwords can only be passed as plain text.
See What's wrong with the UserImport and why is ILIAS3 "illegal" for more details.

Test Cases

not relevant.

Approval

Approved at August 19, 2016, by Kunkel, Matthias [mkunkel]

Last edited: 19. Apr 2023, 12:28, Kunkel, Matthias [mkunkel]