Update Password Encryption Method

Hello @everyone

I need to implement custom code-level and database-level changes in my Discourse Rails application to meet my specific requirements.

Update password encryption method. Currently, Discourse uses “PBKDF2” for password encryption.
As per my requirement, I need to switch to “MD5” instead of “PBKDF2”.

I have setup code in my local environment and also, deployed discourse the production environment using Docker.

When I update the local code based on my requirement then I need to redeploy my updated code in the production environment but currently, I have set the production environment discourse official docker file so I need to generate a new docker file how I can create a new docker file and how to access PostgreSQL database discourse application production environment

This appears to be a significant security downgrade. MD5 is unsuitable for password hashing. Not only would this change affect a critical part of Discourse, but you would also need to maintain it for all future releases.

Perhaps we can suggest a better approach if you could explain what you’re trying to achieve.

Regarding customizing Discourse, please take a look at Developing Discourse Plugins - Part 1 - Create a basic plugin. The plugin system allows you to safely extend core features.

6 Likes

I have a created new API’s and I need to redeployed in my production code How it possible to deployed in production docker

You want to make your changes in a plugin. If you want to fork Discourse and try to maintain that separately you’ll be very, very, sorry, if history is any indicator.

What problem are you trying to solve with passwords stored as an MD5 hashh? As suggested already, the whole internet seems to agree that MD5 is not encryption and not suitable for storing passwords.

3 Likes

Clarification: as Jay notes, neither MD5 nor PBKDF2 are encryption functions.

They are both hashing functions. Discourse does not store passwords.

Spot on. Even if you don’t believe us, we’re not the only ones saying this.

What problem are you trying to solve?

4 Likes

Need help to find a solution. I need to change an encryption method in ROR (Discourse). Currently, I am using MD5 encryption. I made changes in the code level in my local environment. How can I reflect those changes in the live server without the help of Docker?

Currently, the production environment is set up using Docker configuration

Here is the link that was followed to set up the production environment.
URL: discourse/docs/INSTALL-cloud.md at main · discourse/discourse · GitHub

You still haven’t said what problem you’re trying to solve. Can you say more about what MD 5 is solving?

You still need to implement whatever changes you make on a plugin. Have you started to learn how plugins work?

But I bet what you really want is to have discourse authenticate against your existing app, in case you just need to implement discourse_connect and discourse won’t need to know about your choices in password storage.

2 Likes