Possible bug/problem in user login procedure? - Incorrect password

[lwiz]

Greetings!

SMF version: 2.0.11
Mid-sized(?) forum with about 9k registered members.

Lately we have started getting "Incorrect password" errors for some users. The accounts do not recognize the password given, whether new one is set by user via "forgot password" or administrator directly editing userdata.

However - if the user login name is changed, the logging in/password change etc. start to work as expected. Thus I suspect without knowing the innards of login procedure that SMF calculates some kind of hash which is used in finding the login account. Somehow the hash hits a duplicate user instead of the intended one resulting in "incorrect password."

No errors or warnings are logged while changing the password into SMF, database, apache or system logs.

Of course I can be completely wrong on my deduction how login works by a red herring - where to start locating and debugging the issue?

-Reko

[margarett]

Out of interest, does any of the affected users have non-ASCII or accented characters in the username?

[Kindred]

well, the first question is: What mods are you running?

Are you running tapatalk or oneall?

yes... the password is hashed using the username (which means, if the username is changed, the password has to be re-generated and sent to the user)
There is no hash used "to find the login account".   The username is used to find the account and the hashed password compared against the database
(passwords are never stored in plan text and never sent in plain text)

However, I have never seen this happen on any "out of the box" SMF installation -- which is why I ask about the mods.


Margarett's idea is also something to check....

[lwiz]

Our board is mostly UTF8-FI but no accented characters in username or password - only the 7bit ASCII used in either really.

-Reko

[lwiz]

well, the first question is: What mods are you running?
Are you running tapatalk or oneall?

We're pretty mod-light however we do have tapatalk. First thing I checked though after these errors started was deinstalling tapatalk and flushing local cache. Could try to do that one again though.

//EDIT

Just out of curiosity - does tapatalk login functions "overwrite" the smf regular ones even outside the MOBIQUO context (i.e. when regular web client is used?)

[Michael Vail]

Hello,

I was having this problem on my SMF 2.0 Forum with Tapatalk SMF 2.0 Plugin 4.2.9 installed. It's been doing it for months. Users were unable to login on the main SMF login screen and would get an "Unknown Password" error. They would be directed to a second login screen were they could re-enter their login info or reset their password. The second screen would allow them to login.

I suspected Tapatalk was the issue and uninstalled the Tapatalk mod and the problem stopped immediately. I haven't researched it any further at this point but wanted you to know that Tapatalk was indeed the culprit in my case.

On a side note, the SMF package manager was unable to remove the index template file and said there was an error with the uninstaller but I did it anyway and the site still works. I'll fix that later but for now, I can still use my site just fine without changing anything else.

Hope this helps,
Mike Vail
SMF Site: www.sonomacountydsa.org/forums

[Michael Vail]

Just to follow-up on this, I downloaded and installed Tapatalk SMF 2.0 Plugin 4.3.5 (latest version as of this writing) and my site works as it should now with Tapatalk installed.

Warm Regards,
Mike Vail