syntaxseed,
@syntaxseed@phpc.social avatar

I have a 8.0 project where comparing legacy hashed passwords suddenly stopped working.

I think it's because older accounts are using blowfish ($2a$) and a salt of 21 characters but whatever it was falling back to stopped working because it wants a 22 character salt.

My client now has users with passwords I'm not sure how to validate because I can't replicate the hash.

I guess my next step is to just regenerate & email new passwords. But I don't like it.

timwolla,
@timwolla@phpc.social avatar

@syntaxseed That sounds like you might have hit https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4.

syntaxseed,
@syntaxseed@phpc.social avatar

password_verify() does not work with these. So it tries that first (for newer accounts) then falls back to the old method with crypt() - which stopped working & I think it's because of something in 8.0.3.

realn2s,

@syntaxseed
Cc @sebastian wie tot have any idea what happens there?

sebastian,
@sebastian@phpc.social avatar

@realn2s @syntaxseed Not my area of expertise, sorry. Maybe @theseer can help?

afilina,
@afilina@phpc.social avatar

@syntaxseed Could you post the code that was used to generate the hash in the first place? I might provide some pointers, since I upgrade encryption-related code often.

syntaxseed,
@syntaxseed@phpc.social avatar

@afilina Let me dig that up in a sane format. 😁

syntaxseed,
@syntaxseed@phpc.social avatar

@afilina Here's a gist of the old password hashing class. It's using blowfish and 21 character salts. I think the salt length is the issue.

It creates hashes that look like:
$2a$10$78b367f8d5feaa9b34b61.JKGar4N5ibBXe6lVjdtsLATzqp3UAR.

https://gist.github.com/syntaxseed/37b3fbe65a4fa67879aa3ce1af130131

shudder,
@shudder@phpc.social avatar

@syntaxseed @afilina This code starts to break for php 8.0.28 and 8.1.16

https://github.com/php/php-src/commit/c840f71524067aa474c00c3eacfb83bd860bfc8a

syntaxseed,
@syntaxseed@phpc.social avatar

@shudder @afilina Uuug damn.

syntaxseed,
@syntaxseed@phpc.social avatar

@shudder @afilina I can't fathom how there was not more discussion about the backward breaking fallout of this change. It's not trivial to make large swaths of password hashes suddenly un-validate-able. 🤦‍♀️

afilina,
@afilina@phpc.social avatar

@syntaxseed @shudder Ok I'm back in Canada and will be able to take a look at this. I'll then propose some solutions.

syntaxseed,
@syntaxseed@phpc.social avatar

@afilina For now I've implemented an emailed password reset.

But it sucks that I can't do that after first authenticating the user. 😓

shudder, (edited )
@shudder@phpc.social avatar

@syntaxseed @afilina The easiest solution would be exec wrapper compiled with old versions of crypt_blowfish.c + crypt_blowfish.h (this one might be omitted, but requires editing .c).
For example this
https://gist.github.com/shudd3r/87b06610422bd8f15f9be8a912c64a7e
...would accept crypt() args through command line and output hash.

Though I'm not sure if escaping quotes in password makes it safe enough.

syntaxseed,
@syntaxseed@phpc.social avatar

@shudder @afilina I appreciate that, but it's not worth the special trouble to do all that for this project. 😅

dubiago,

@syntaxseed Kinda forces your users into a defacto password reset. That’s always a healthy thing, especially if a good chunk are stale. Silver lining.

syntaxseed,
@syntaxseed@phpc.social avatar

@dubiago True. And some are even older unsalted hashes. So doubly good.

My concern is that email addresses on these accounts weren't always mandatory. 😬

Gonna need a "contact an admin" message in there somewhere. Lol

  • All
  • Subscribed
  • Moderated
  • Favorites
  • php
  • cubers
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • osvaldo12
  • ethstaker
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ngwrru68w68
  • kavyap
  • Leos
  • modclub
  • JUstTest
  • InstantRegret
  • khanakhh
  • GTA5RPClips
  • everett
  • Durango
  • tacticalgear
  • provamag3
  • tester
  • cisconetworking
  • normalnudes
  • megavids
  • anitta
  • lostlight
  • All magazines
    •