Update Password Encryption Method

gambhir-makwana · July 15, 2024, 11:54am

I need to implement custom code-level and database-level changes in my Discourse Rails application to meet my specific requirements.

Update password encryption method. Currently, Discourse uses “PBKDF2” for password encryption.
As per my requirement, I need to switch to “MD5” instead of “PBKDF2”.

I have setup code in my local environment and also, deployed discourse the production environment using Docker.

When I update the local code based on my requirement then I need to redeploy my updated code in the production environment but currently, I have set the production environment discourse official docker file so I need to generate a new docker file how I can create a new docker file and how to access PostgreSQL database discourse application production environment

selase · July 15, 2024, 1:03pm

This appears to be a significant security downgrade. MD5 is unsuitable for password hashing. Not only would this change affect a critical part of Discourse, but you would also need to maintain it for all future releases.

Perhaps we can suggest a better approach if you could explain what you’re trying to achieve.

Regarding customizing Discourse, please take a look at Developing Discourse Plugins - Part 1 - Create a basic plugin. The plugin system allows you to safely extend core features.

gambhir-makwana · July 15, 2024, 1:18pm

I have a created new API’s and I need to redeployed in my production code How it possible to deployed in production docker

pfaffman · July 15, 2024, 4:52pm

You want to make your changes in a plugin. If you want to fork Discourse and try to maintain that separately you’ll be very, very, sorry, if history is any indicator.

What problem are you trying to solve with passwords stored as an MD5 hashh? As suggested already, the whole internet seems to agree that MD5 is not encryption and not suitable for storing passwords.

supermathie · July 15, 2024, 5:02pm

Clarification: as Jay notes, neither MD5 nor PBKDF2 are encryption functions.

They are both hashing functions. Discourse does not store passwords.

Spot on. Even if you don’t believe us, we’re not the only ones saying this.

What problem are you trying to solve?

gambhir-makwana · July 16, 2024, 6:22am

Need help to find a solution. I need to change an encryption method in ROR (Discourse). Currently, I am using MD5 encryption. I made changes in the code level in my local environment. How can I reflect those changes in the live server without the help of Docker?

Currently, the production environment is set up using Docker configuration

Here is the link that was followed to set up the production environment.
URL: discourse/docs/INSTALL-cloud.md at main · discourse/discourse · GitHub

pfaffman · July 16, 2024, 12:31pm

You still haven’t said what problem you’re trying to solve. Can you say more about what MD 5 is solving?

You still need to implement whatever changes you make on a plugin. Have you started to learn how plugins work?

But I bet what you really want is to have discourse authenticate against your existing app, in case you just need to implement discourse_connect and discourse won’t need to know about your choices in password storage.

Topic		Replies	Views
How to get a password from database? Installation	7	1159	May 29, 2023
Reset password with custom ruby file Dev	9	683	September 27, 2023
How to upgrade Discourse from 1.6.1 version to latest_release Support	13	1644	May 19, 2023
Configure Discourse - Environment AWS Linux 2 AMI and Apache2 (httpd) Installation advanced-setup	3	2010	July 7, 2023
Does the Discourse install set a default postgres password? Installation	3	1653	May 26, 2024

Update Password Encryption Method

Related topics