How is it possible to create a password without a salt?

Joomla 3.0.3 created passwords with a salt

Also I just checked on 3.0.3 by removing the salt in the db just leaving
the trailing colon and it was NOT possible to login

On 29 December 2014 at 13:00, Drew notifications@github.com wrote:

Authentication: Fixing issues with legacy MD5 hashes with empty salts that
contain a colon (':') in the DB

I upgrade from 3.0.3 to 3.3.6 recently and found some legacy users were
unable to login. These users had MD5 hashed password with empty salts.
However in the DB the colon (':') was still appended to the password at the
end. The hash comparison in helper.php did not take this into account and
thusly denied them when trying to login.

Examples:
Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6 (no colon)
Result: Login succeeds

Plaintext: test
Salt: (empty)
DB Hash: 098f6bcd4621d373cade4e832627b4f6: (with colon)
Result: Login fails

Plaintext: test
Salt: 1234
DB Hash: 16d7a4fca7442dda3ad93c9a726597e4:1234 (with colon and salt)
Result: Login succeeds

The modified code assumes that if there was a ':' found in the original
has (strpos), and the salt is empty (second half of the conditional), it
must have been at the end of the string. We re-add that so the hash
comparison works properly.

After the change, all three of the examples listed above work indicating

the original legacy users and my broken users work just fine.

You can merge this Pull Request by running

git pull https://github.com/nerddtvg/joomla-cms staging

Or view, comment on, or merge it at:

#5551
Commit Summary

• Authentication: Fixing issues with legacy MD5 hashes with empty salts that contain a colon (':') in the DB

File Changes

• M libraries/joomla/user/helper.php https://github.com/joomla/joomla-cms/pull/5551/files#diff-0 (4)

Patch Links:

• https://github.com/joomla/joomla-cms/pull/5551.patch
• https://github.com/joomla/joomla-cms/pull/5551.diff

—
Reply to this email directly or view it on GitHub
#5551.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

@brianteeman: These users are very, very legacy. Some from the 1.x days. A password could be generated without the salt then. Joomla just never rewrote the hashes in the database, for some reason or another. In 3.3.6, when one of these legacy users does login, it rewrites their hashes to use the Blowfish algorithm, which makes me very happy to see. But first I need to get them logged in.

You can't just remove the salt, obviously. You have to have hashed the password without a salt as well. Take one of my examples above and try it out. The first one is the word 'test' without a salt, a straight MD5 hash of that word.

Not sure I understand how that could have ever happened but I can confirm your findings and that the PR resolves it

Simply this site was a replacement from a J1.0 site. We imported users from the old site. That's how we ended up with these old hashes and logins. The only issue we had with it was Joomla didn't rewrite the hashes. Whatever caused it not to do that was resolved inside the last two years the site has been in production without an upgrade. Thusly these users' terrible hashes stuck around a while.

Thanks for confirming the change!

I've created nerddtvg#1 to your branch which adds a unit test for your passwords

@wilsonge Thank you, I've gone ahead and merged it.

Merged - thanks!

Thank you!