I noticed recently that password salting (for internal enrollment) is not enabled by default. It seems to me that a randomized salt should be assigned by the Moodle installer, and the upgrader or security report should force a salt be assigned if one is not set.
Without salting, hashed passwords are trivial to crack with rainbow tables and the like. It's a myth that the MD5 algorithm is not-reversible. For short plaintext, the hashes can be pre-calculated by a processing farm, and stored in a db for easy lookup.
Online sites like http://www.md5decrypter.co.uk/ and http://www.cmd5.com/english.aspx can reverse billions of md5 hashes. In my testing, they can reverse many typical user passwords. Try it yourself if you're curious... look up the password hash for a given account in the moodle db (select password from mdl_user where username='user') and copy/paste it into the md5decrypter site. You might want to be sitting down.
If you salt a password before hashing, you effectively eliminate the possible that the hashes can be reversed.
The code for handling salted passwords in /lib/moodlelib.php looks complete..
-- when a password is checked, the code looks for CFG->passwordsaltmain. If set, it appends the user's password to the salt before the md5.
-- if the unsalted md5 of a user's password validates, it is assumed that the salt was set for the first time since the last time the user logged in. The user's password is upgraded, using the salt.
-- if neither the unsalted md5, or the salted md5 validates, the code looks for up to 20 alternate salts. I can see how these could be used to change the main salt without locking out your users. (You would store the old main salt in one of the numbered alternate salt slots, and set the passwordsaltmain to the new value.) Then after a suitable time for password rehashing (a year or so) you could clear out the alternate salt entry.
So... is there a reason why Moodle couldn't set up a random salt by default? Something like 32 characters of alphanumerics + punctuation would be ideal.
-Garret