User tests: Successful: Unsuccessful:
Authentication: Fixing issues with legacy MD5 hashes with empty salts that contain a colon (':') in the DB
I upgrade from 3.0.3 to 3.3.6 recently and found some legacy users were unable to login. These users had MD5 hashed password with empty salts. However in the DB the colon (':') was still appended to the password at the end. The hash comparison in helper.php did not take this into account and thusly denied them when trying to login.
Examples:
Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6 (no colon)
Result: Login succeeds
Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6: (with colon)
Result: Login fails
Plaintext: test
Salt: 1234
DB Hash: 16d7a4fca7442dda3ad93c9a726597e4:1234 (with colon and salt)
Result: Login succeeds
The modified code assumes that if there was a ':' found in the original has (strpos), and the salt is empty (second half of the conditional), it must have been at the end of the string. We re-add that so the hash comparison works properly.
After the change, all three of the examples listed above work indicating the original legacy users and my broken users work just fine.
Labels |
Added:
?
|
@brianteeman: These users are very, very legacy. Some from the 1.x days. A password could be generated without the salt then. Joomla just never rewrote the hashes in the database, for some reason or another. In 3.3.6, when one of these legacy users does login, it rewrites their hashes to use the Blowfish algorithm, which makes me very happy to see. But first I need to get them logged in.
You can't just remove the salt, obviously. You have to have hashed the password without a salt as well. Take one of my examples above and try it out. The first one is the word 'test' without a salt, a straight MD5 hash of that word.
Not sure I understand how that could have ever happened but I can confirm your findings and that the PR resolves it
Simply this site was a replacement from a J1.0 site. We imported users from the old site. That's how we ended up with these old hashes and logins. The only issue we had with it was Joomla didn't rewrite the hashes. Whatever caused it not to do that was resolved inside the last two years the site has been in production without an upgrade. Thusly these users' terrible hashes stuck around a while.
Thanks for confirming the change!
I've created nerddtvg#1 to your branch which adds a unit test for your passwords
Category | ⇒ | Authentication |
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-12-29 22:03:40 |
Merged - thanks!
Thank you!
How is it possible to create a password without a salt?
Joomla 3.0.3 created passwords with a salt
Also I just checked on 3.0.3 by removing the salt in the db just leaving
the trailing colon and it was NOT possible to login
On 29 December 2014 at 13:00, Drew notifications@github.com wrote:
Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/