I have noticed that the user's password is encrypted in the database, where do i find the code in moodle that encrypts and decrypts the data?
the reason i ask is im interested to know how this sort of stuff works.
Thank you very much about that information it was a good read!
if someone could help me understand one aspect:
if the MD5 proccess is "irriversable" how does moodle get the password and email back to the user when they have forgotten it?
The "weakness" in MD5 is no weakness at all thus far. By this, I mean that things like "n-round X algorithm has been successfully attacked" doesn't mean anything for the same algorithm with n+1 rounds. It doesn't bode good, but it also is not condemning. Maybe MD5 will be compromised in the future, as this shows, but there really is no problem right now. Probably even if you are the US Government, not a Moodle installation.
When moving from MD5, the only reasonable alternative right now is SHA-1. "Applied Cryptography" is a very good read on the subject; I bought my paper copy after reading it in PDF.
Jon
Being able to produce collisions makes a hashing algorithm useless for digital signatures. For then one can produce two versions of a document, get someone to digitally sign one version, and then apply the digital signature to the other version and get the signature to verify. MD4, a precursor to MD5, was broken in this way some time ago.
Zig beat me to the correct answer... oh well!
WP: I can only recommend the book (which you will LOVE if you like mathematics and/or algorithms, by the way). Our friend Google should help you if you want online material.
I've said it before and I'll say it again - Moodle isn't a banking application. If you are truly seriously worried about security you need to do an end-to-end security audit of your systems. I bet you'll find that the MD5 hashing is a long way off being the weak link in the system. Who has the keys to your server room?
Anyway, Moodle is a learning system - what data is held on it that is so important.
FWIW - we are very fussy about allowing access to some of our courses because we tell our students that there forum discussions are private, BUT... we also tell them that we don't 100% guarantee it.