I'm developing a custom login application for Moodle.
I just want to know which algorithm does Moodle uses to encrypt passwords? So that, I can authenticate Moodle users on my login application.
It depends on the Moodle version. Until 2.5: MD5 plus optional salt (a global salt, for every password, stored in $CFG->passwordsaltmain). Since Moodle 2.5:
From Moodle 2.5 onwards Moodle automatically generates and adds a different salt for each individual user.
And:
The new password hashing mechanism relies on bcrypt support from PHP which is only normally available in PHP version is 5.3.7 or greater (see note below). If you are using a version of PHP which doesn't properly support bcrypt, Moodle will fall back to the old password hashing scheme, so we recommend that you continue to use a site-wide salt until you are able to upgrade PHP.
Source: Password salting.
Moodle has a pluggable authentication architecture. If you develop a custom Moodle authentication plugin, or find one that has already been developed, you could pass any kind of authentication token to Moodle.
After searching a while for the password hash generating function I found the following simple answer: in newer versions of Moodle you can use the following:
echo password_hash( "my password", PASSWORD_DEFAULT, array() );
Latest Moodle uses password_hash(), see more detailed answer on Moodle's forums: https://moodle.org/mod/forum/discuss.php?d=235504#p1023177
Moodle use MD5 algorithm to encrypt passwords
Related
TL;DR: I'd like to make a Moodle installation and an ASP.NET Identity-based site share authentication. If they have a single login page, so much the better, but logging in to one should automatically log into the other; logout should also be shared.
I have a Moodle installation (M) at www.example.com/moodle, and another website (O) at www.example.com.
O is written using .NET 4.5.2 and has areas that require authentication to access, managed using ASP.NET Identity 2.1 with a custom user model. This model is not particularly sophisticated. It is essentially the out-of-the-box model, but with integer IDs rather than GUIDs.
M is version 2.6, with intentions to upgrade to the latest version (currently 3.1) in the near future.
Both are accessible via the public Internet; there is no requirement to be on a private network to access them.
I know of no plans to move either M or O onto a different domain. However, if one or both was to move, I imagine they would move to a subdomain of example.com.
I would like to create a single-sign-on system, allowing a login for M to also log the user into O. As it stands, I am using the external database authentication plugin for Moodle, with M referring to the database for O. While this works, it does require the user to log in twice. I would like to set it up so that logging in to either M or O will also log the user in to the other site.
I am able to create matching hashes from PHP and .NET code. Unless it is particularly relevant to the solution, please consider the creation of hashes out of scope.
Some users of M are using Moodle's built-in authentication. However, unless it is particularly relevant to the solution, please consider the migration of users out of scope.
I'd prefer O to manage users, if possible. M, by nature of being Moodle, will have to have its own records for the users, but I'd like it if they were similar to the records used by the external DB plugin: just saying that the user exists and can be found elsewhere.
Things I have tried, investigated, or considered:
Moodle's external database plugin. This is how it works at the moment. It sort of works, but requires multiple logins.
Automating the multiple logins. I've experimented with taking the posted credentials, making a HTTP request from the server to the sites' respective login forms when logging in, lifting the cookie out of the response, then sending that cookie back to the client. This also works, but it's clunky at best, and is reliant on the cookies not getting out of sync.
Using PHP's DOTNET library and doing...something. All of the documentation that I can find says that DOTNET does not work with anything other than .NET 2.0, 3.0 or 3.5. I'm using 4.5.2, so this seems like a no-go. I don't know what I'd do even if I could get it to work with more recent versions of .NET.
Somehow getting Moodle to accept the ASP.NET Identity cookie in place of its own. This seems like the most fruitful course, given that it is a single cookie to manage.
To wrap up: I'd like to make M and O share authentication. If they have a single login page, so much the better, but logging in to one should automatically log into the other; logout should also be shared. Is this possible, and does anyone know how I should go about it?
Maybe take a look at SAML.
I believe that .NET 4.5 supports SAML?
https://msdn.microsoft.com/en-us/library/ms733083%28v=vs.110%29.aspx
On the server, install simplesamlphp.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
It can be used both as a service provider and as an identity provider.
Then install this SAML plugin in Moodle :
https://moodle.org/plugins/auth_saml
I have an app which allows connections to multiple servers. At the moment I'm storing all connection details except the password using chrome.storage.sync.
Is it possible to store username/password combinations using the standard built-in password manager ?
Is it possible to store username/password combinations using the standard built-in password manager?
In short, no. There is no API to work with password storage of Chrome.
How to do authentication in a Chrome extension anyway? Here's an old question on this topic.
What changed since then is that Chrome has now a dedicated API for OAuth, chrome.identity, which provides a secure way of logging onto web services.
However, if you're looking to make something like a local password manager, then you cannot really protect against a malicious user. All storage you can access, and all encryption/decryption functions, are available for a user to inspect.
A server component that handles a certain decryption step is a good measure, but not always applicable.
Edit: as suggested by Vloz, a Native Client module that handles crypto functions is a good step to obfuscate data.
Passwords are hashed with a salt and are thus "secure" (relatively speaking) by default using has_secure_password in Rails 4. But what I want to do is encrypt the email at rest in the DB so if the database is compromised somehow the emails aren't just in plaintext.
I've looked at just writing my own encrypt/decrypt functions, but that's dangerous. I've looked at attr_encrypted (and have used it before) but it's not really compatible with the new Model.find_by(key: value) syntax that Rails 4+ pushes, and I don't want to create a hacked fix.
Is there anything out there already that will allow me to easily encrypt an attribute in the DB at rest and then decrypt it when I need to find it? I can't use hashes because I need the decrypted value to display and send emails to later.
I've googled for a while but can't seem to find anything like this. Surely encrypt/decrypt is something very basic that's been put into a convenient gem that's been reviewed by the community?
Have you considered the attr_encrypted gem?
Does anyone know how to issue additional claims from StarterSTS by Dominic (Codeplex). I currently am getting only Login Time Instance and the Authentication Type which is password. Is there some config file i can edit or Code i need to insert to provide additional claims to the user ?
I'm not sure if you can in StarterSTS, but if you note on the project it says:-
IMPORTANT
StarterSTS has been discontinued. The sources will stay up here for educational purposes. Please use my new project IdentityServer (http://identityserver.codeplex.com) from now on.
IdentityServer does support additional claims. You add the claims using the user profile - it's very easy to do so I would recommend you upgrade to this if possible.
I can't see the source for starterSTS so I'm not sure if it supports this feature. You can find Identity Server V2 here
Hi I am using CAS for SSO. But problem is that i want reset password,register new user on CAS login screen.Does CAS provide these services or i have to implement?
Or Any other SSO solution exist which fulfill my requirement.
CAS is just a SSO frontend to your existing identity management solution (database, LDAP etc). It does not include any identity management features itself (create user account, reset password etc). I have recently been using the Cloudseal platform which is a full identity management solution and so far I am pretty impressed. I believe Atlassians Crowd also includes this although I have not used it. There are probably other products out there as well.
Both of these are commercial products although they are both free for the first 50 users. Crowd is a traditional standalone platform which you download, install and configure but Cloudseal is a hosted service so there is no installation and less config.
You can certainly modify the spring weblog and login page to allow for the functionality that of course you'd have to implement. You should also ask the question on #cas-user mailing list to see if a similar need in the community has been implemented by other users which you may be able to take advantage of. I remember only recently someone raised the same question to the list and there was a bit of interest in getting this feature developed and integrated. You may want to revisit the topic on the mailing list.
Hope this helps.