password salt vs. password policy

password salt vs. password policy

de către Guillermo Madero-
Număr de răspunsuri: 2

Hi,

As we were on a development & testing phase, neither password salting nor a password policy was being used on our site. However, as we are about to start accepting student enrollments, I have just upgraded the first of two sites, from 1.9.6 to 1.9.8. and I have also read all Moodle docs about password security.

I would like to know what people with more real-life experience at Moodle think would be, both from a security and from a practical point of view, the best option to set up a site:

  1. enforce a strong password policy
  2. use the password salt option at config.php and let users keep using their weak passwords
  3. or enforce strong passwords AND use the password salt

Thanks in advance,

Guillermo

Media aprecierilor: -
Ca răspuns la Guillermo Madero

Această postare pe forum a fost eliminată

Conținutul acestei postări a fost eliminat și nu mai poate fi accesat.
Ca răspuns la Utilizator șters

Re: password salt vs. password policy

de către Guillermo Madero-

Thanks for the advice. I did both as you recommended surâs

I think that from the Moodle site point of view, getting either of them (salt/db) would not actually be of any good as the actual password would be still unknown to the hacker, which of course is irrelevant because he could simply erase the password field and login to generate a new one.

However, as the password doesn't get to be known, at least personal data could be kept private if Moodle were to encrypt it.

Media aprecierilor: -