Astute onCourse users will have noticed that 2.1.8 has removed the web password field from the user interface. Even though this field was once blanked out with dots, we stored the real password in the database behind the scenes; even that will go away in onCourse 3.0. We have now implemented a new way for users to reset their password from the website. Instead of being able to recover a password by email, the user is able to have an email sent to their address which can be used to reset their password. The difference is subtle but important: a special link to reset a password means that there is no way to ever find out what the old password was. This has some nice security benefits:

  • a rogue college is not able to look in the database and find the user’s password
  • ish technical support cannot look in the database and find the user’s password
  • someone who compromises a user’s email account cannot recover their password: this is particularly important since many users will use the same password on many different sites. They shouldn’t, but they do.

So someone wanting to do evil and who manages to reset the password (eg. by taking control of the user’s email address) will only be able to reset the password to a new value. And the original user will know something is wrong when they try to log in next time.

How do we do this? Well, we use something called a hash. Instead of storing “abc123” we store the SHA hash of that password “c8fed00eb2e87f1cee8e90ebbe870c190ac3848c”. When you log in, we perform this hashing on the password and see if the result matches. But there is no way (yet known to mankind) to take the hash and figure out what the original plain text was. Think of it as one way encryption with no way to reverse the process. Our system is slightly more complicated since we also store a ‘salt’ to avoid certain types of attacks, but the general concept is pretty simple. The end result is that even if someone stole our database, they would not be able to recover the passwords.

Why are we doing all this? Well, firstly it is just good security. But it is becoming more important now that more services are going to be available online. Tutors will soon be able to mark outcomes online. They are already able to mark attendance. These things are vital for RTO and CRICOS auditing. Students will soon be able to use credit on their account and other things that make security more and more important.

Hopefully this has helped to explain the reasons behind the missing password field in the onCourse client.