[#12333] - [4.0] Work on a plan for removing support for passwords with a SHA 256 Hash
- Closed
- 19 Oct 2017
- Medium
- Build: master
- # 12333
The problem
- We can't reset passwords because that involves validation of the old password
- Sending emails to reset passwords (like current frontend email to reset passwords COULD lead to server resource issues on some shared hosts).
- We don't want to support SHA's forever as they represent users who have had accounts from 3 years ago (Joomla 3.2.0) on servers between 5.3.1 and 5.3.7 and who haven't logged in since the upgrade to 3.3...
Possible resolution to the problem
- Component to flag to super admins users whose passwords fail SHA before upgrade and 'just' drop support
- Send emails and hope for the best with server resources
- Let a limited number of users find out the hard way and have them frontend reset their passwords
| Milestone |
Added: |
||
| Title |
|
||||||
zero-24
- | Category | ⇒ | Authentication Libraries |
| Title |
|
||||||
| Status | New | ⇒ | Confirmed |
| Title |
|
||||||
brianteeman
- | Labels |
Added:
?
|
||
Joomla currently allows md5 passwords too... try it if you dont believe me ;-) 21232f297a57a5a743894a0e4a801fc3 :)
That's because the core API still supports authenticating users who have those hashes and those hashes are properly rehashed to bcrypt when encountered. It's also much more plausible to have active user accounts with those hashes (sites are still being migrated from versions earlier than 2.5.17 and 3.2.0). This whole issue debates a hash that was only used by core in one release for a 6 week period and only in an explicit configuration.
ah ok then -so the plan is to still allow the md5 hash login (which I know instantly gets converted) ?
I would suggest re-evaluating that one (and possibly PHPass) for 5.0 at the earliest.
Cool, maybe another thought is a lot of other web apps now provide a PHP CLI to hash a pw ... (http://symfony.com/blog/new-in-symfony-2-7-security-improvements)
Joomla have a proper CLI interface? Excuse me while I go laugh heartily because that'll be blocked as long as we keep focusing on Joomla only being usable through the UI then get back to work on my current Symfony project.
There is a /cli folder though, thats a start, took years for that to happen :)
#jab17 bug squad here, is this still a concern?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12333.
| Status | Confirmed | ⇒ | Information Required |
| Status | Information Required | ⇒ | Confirmed |
| Milestone |
Removed: |
||
set Status on "Information Required".
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12333.
It basically comes down to a decision of what hashing support do we deprecate and when. But yes it is still a proper concern.
| Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-10-19 05:09:13 |
| Closed_By | ⇒ | franz-wohlkoenig |
| Closed_Date | 2017-10-19 05:09:13 | ⇒ | 2017-10-19 05:09:14 |
| Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/12333
Even more specificity here. Only user accounts created on a server running PHP 5.3.1 through 5.3.6 (IIRC 5.3.7 was fine thanks to support from the password_compat polyfill) on a Joomla 3.2.0 installation (3.2.1 brought in PHPass and 3.3.0 the "proper" PHP 5.5 password API).