What is Drupal's default password encryption method?
Asked Answered
P

6

53

I am trying to figure out what is the security that Drupal 6/7 uses by default to store passwords. Is it MD5, AES, SHA? I have been unable to find anything.

Poikilothermic answered 17/2, 2011 at 16:27 Comment(2)
"I have been unable to find anything." - Ok, normally, I don't do 'have you tried google' comments, but this is ridiculous - did you even try to find something? (Hint: copy and paste your questions title into a google search box)Lunneta
I did. And it brought me to Stack Overflow. :)Ursa
A
83

Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's hash function numerous times to increase the computation cost of generating a password's final hash (a security technique called stretching).

With Drupal 8, the implementation is object oriented. There is a PasswordInterface which defines a hash method. The default implementation of that interface is in the PhpassHashedPassword class. That class' hash method calls the crypt method passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's _password_crypt() method.

With Drupal 7, the implementation is split into a couple global functions: user_hash_password() and _password_crypt().

Drupal 6 uses MD5 without a salt. The relevant function is user_save().

Arcuate answered 17/2, 2011 at 16:40 Comment(1)
It is worth noting that Drupal 7/8 uses a modified version of phpass which can be found under the the Secure Password Hashes module.Aetiology
W
42

Here is an example hash from Drupal 7:

  • "pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

  • The characters 0-2 are the type ( $S$ is Drupal 7 )

  • The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
  • The characters 4-11 are the SALT
  • The rest is a SHA512 hash using 2^X rounds.
  • The binary result is then converted to a string using base64.

    $count = 1 << $count_log2;
    $hash = hash($algo, $salt . $password, TRUE);
    do { $hash = hash($algo, $hash . $password, TRUE);
    } while (--$count);

The whole process can be found in: mydrupalsite\includes\password.inc

Winnow answered 9/10, 2013 at 14:10 Comment(0)
E
12

It can be checked inside www\includes\password.inc

function user_check_password($password, $account) {
  if (substr($account->pass, 0, 2) == 'U$') {
    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5().
    $stored_hash = substr($account->pass, 1);
    $password = md5($password);
  }
  else {
    $stored_hash = $account->pass;
  }

  $type = substr($stored_hash, 0, 3);
  switch ($type) {
    case '$S$':
      // A normal Drupal 7 password using sha512.
      $hash = _password_crypt('sha512', $password, $stored_hash);
      break;
    case '$H$':
      // phpBB3 uses "$H$" for the same thing as "$P$".
    case '$P$':
      // A phpass password generated using md5.  This is an
      // imported password or from an earlier Drupal version.
      $hash = _password_crypt('md5', $password, $stored_hash);
      break;
    default:
      return FALSE;
  }
  return ($hash && $stored_hash == $hash);
}

Its been clearly written that "// A normal Drupal 7 password using sha512."

Effieeffigy answered 16/11, 2013 at 3:14 Comment(0)
A
5

For Drupal 6 core, the method uses MD5 and as I understand it, there isn't any salting used. For drupal 7 some more advanced hashing is used. A good article on it here - http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/

Antoneantonella answered 17/2, 2011 at 16:35 Comment(1)
Drupal 6 is no longer supported by the community, but there is a contributed module to make Drupal 6 core us the much stronger PHPASS mechanism: drupal.org/project/phpassConcertino
A
0

drupal 8 is using Phpass (modified version)

drupal 7 use SHA-512 + salt

drupal 6 and previous version were using md5 with no salt

Amygdaline answered 2/1, 2018 at 6:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.