[Koha] MD5 hash password encryption

Galen Charlton gmc at esilibrary.com
Tue Feb 18 06:39:25 NZDT 2014


On Mon, Feb 17, 2014 at 9:35 AM, Coehoorn, Joel <jcoehoorn at york.edu> wrote:
>>  I will like to know exact MD5 hash conversation for this number
> 81dc9bdb52d04dc20036dbd8313ed055

That won't work, actually -- Koha used md5_base64(), not md5_hex(),
when generating the hash.

> Just be warned: there are different ways of formatting that result, and it
> assumes no salt. Best practices for authentication are to prepend a
> per-user salt before creating each hash value. And really, best practices
> say not to use md5 for passwords at all. It's too weak, almost to the point
> where you may just as well store your passwords in plain text. A better
> option is bcrypt, which is now supported by koha.

Indeed.  I want to reinforce this and recommend that folks setting up
new Koha databases use 3.14 in order to take advantage of much better
user password encryption.


Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &

More information about the Koha mailing list