Download & Extend
Secure Password Hashes » Issues

Duplicate password after changing password

Posted by pramudya81 on June 23, 2008 at 9:40am
Project:Secure Password Hashes
Version:5.x-1.2
Component:Code
Category:bug report
Priority:critical
Assigned:pramudya81
Status:closed (fixed)

Issue Summary

This is strange. It was fine using this module until users are trying to change their credentials (including their passwords)

E.g:
user01 with password user01 (and converted to phpass secure mode)
then user01 wants to change his password to user01x.

What happened was both passwords user01 and user01x are valid now. And if I view it from table users the password for particular user gets back to md5 format.

Urgent and Important

Regards

Login or register to post comments

Comments

#1

Posted by douggreen on June 24, 2008 at 4:12am

I can confirm that the change password was not working. But I can not confirm that you can login using either password. This is a pretty serious bug :( Users can't update their passwords. Please checkout the latest dev version and confirm that this fixes it for you, and I'll make a new release. Thanks!

#2

Posted by pramudya81 on July 10, 2008 at 3:41am

douggreen,

sorry for a late response. I tried the phpass-5.x-1.x-dev.tar.gz module. It was fine.

The only difference I noticed was on table users there is no record with
uid = 0
name = blank
pass = phpass
and on the user_phpass there is no record with
uid = 0
hash = blank

Is it intentionally? So we can straight away disable the module after reverting all users back on md5 format?

To disable this module on phpass-5.x-1.1.tar.gz version we need to manually delete those 2 records in each users and user_phpass table even all users passwords are already in md5 format.

The rest it was fine and well.

Regards

#3

Posted by pramudya81 on July 28, 2008 at 2:06am

I found another buggy behavior.

Say user01 has password user01
and user02 has password user02

Then enabling phpass module.

Say user02 login and updated the password for user01 (password=user01)
user01 password has succeeded to change.
But user02 password has changed to user01 password as well.

This is very buggy situation...

Regards

#4

Posted by pramudya81 on July 31, 2008 at 4:04am

hello,

any progress on this issue??

Regards

#5

Posted by douggreen on August 1, 2008 at 4:15am
Status:active» fixed

Sorry, I didn't update the issue queue. I think that it is fixed in the 5.x-1.3 version.

#6

Posted by pramudya81 on August 2, 2008 at 3:57am

Hmm ok thanks. I did not know that 5.1.3 already released.
I'll try this and inform you later.

Regards

#7

Posted by pramudya81 on August 3, 2008 at 11:55am

Great douggreen now it works perfectly.

Regards

#8

Posted by Anonymous (not verified) on August 17, 2008 at 12:01pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.