How to add new mugen characters

Password encryption (Salt)

What does password encryption mean?

Passwords are stored in Moodle in encrypted form as an MD5 hash '.

Salt is a way to make passwords even more secure by adding a random string to a password before the MD5 hash is calculated. The longer this random string, the more difficult it is to decrypt it via hash lookup and the more secure the passwords are.

How does password encryption work in Moodle?

Before Moodle 2.5 there was a salt that was valid system-wide and with which all user passwords were encrypted. As of Moodle 2.5, Moodle automatically generates a salt for each individual user and thus encrypts their password. This is safer than the previous procedure. That means that for New installations from Moodle 2.5 the salt variable in the Moodle configuration file is no longer required.

Enable password encryption

To activate the password encryption, you have to add the following line in the Moodle configuration fileconfig.php Add:

$ CFG-> passwordsaltmain = 'a random string as long as possible';

This random string should be a mix of letters, numbers and special characters. You can use the Moodle Salt Generator to generate a sufficiently long string. We recommend a length of at least 40 characters.

Danger: For security reasons, password encryption can only be activated in the Moodle configuration file and not directly via Moodle in the browser.

Change the salt

If for any reason you want to change the salt, the old salt has to be saved in the Moodle configuration file and the new salt has to be added.

passwordsaltmain must be changed to passwordsaltalt1 (Danger: use exactly this notation!) and the new value is added: $ CFG-> passwordsaltalt1 = 'old random character string as long as possible'; $ CFG-> passwordsaltmain = 'new random string as long as possible'; If you want to change the salt a second time, all old salts must be kept (at least until every user has logged in at least once). Use $ CFG-> passwordsaltalt2, $ CFG-> passwordsaltalt3, etc. to save up to 20 old salts.

Warning: If you change the salt without the old value in the file config.php you can no longer log into your Moodle installation!

Disable password encryption

Attention: We strongly advise against this! Once you have activated password encryption, you should not deactivate it again.

To deactivate the password encryption again, you have to delete the value of $ CFG-> passwordsaltmain, comment it out or set it to the empty string. // Example: comment out / * $ CFG-> passwordsaltmain = ''; * / // Example: set to empty string $ CFG-> passwordsaltmain = ''; In addition, you have to move the old salt to an old value (analogous to changing the salt, see above): $ CFG-> passwordsaltalt1 = 'old random string as long as possible'; $ CFG-> passwordsaltmain = '';

Import users from another Moodle installation

If you are importing users from another Moodle installation, and this installation uses password encryption, then you have to use the salt from the other Moodle installation to the configuration file config.php Add to your Moodle installation. You can add up to 20 Salts from other Moodle installations.

$ CFG-> passwordsaltalt1, $ CFG-> passwordsaltalt2, ... $ CFG-> passwordsaltalt20

How does password encryption work?

When Moodle checks a password, it looks for CFG-> passwordsaltmain in the code. If this variable is set, the code appends the password to the salt and then calculates the MD5 hash.

If the MD5 hash of the password can be validated without salt, then it is assumed that the salt was set for the first time since the user last logged in. The user's password is updated using the salt. The password is therefore used when the user logs in for the first time after setting the salt in the file config.php encrypted. '

If the MD5 hash of the password cannot be validated with or without a salt, then the code searches for up to 20 alternative salts. These must be in the file as described above config.php get saved.

If a user logs in whose password is encrypted with an old salt, the validation with the new salt does not work. In this case, the alternative salts are processed and checked one after the other. As soon as a salt is reached, for which the validation is successful, processing stops and the password is updated using this last salt used.

See also