For reasons of compatability with legacy systems, we need to set the raw password string as entered by the user in the login template to lowercase[1][2]. Is this possible? We currently use the default SMF theme. Please do PM me if you'd rather not discuss manipulating user PWs on a public forum!
[1] Our user accounts and passwords are managed through a legacy system. We use the validate_login hook to pass the uid and password entered to the forum to the legacy system for (pre)validation. If it passes, we then (a) automatically register users new to the forum and (b) set the pw to the validated pw string (as existing forum users may have used the change pw facility on the legacy system). Its clever stuff; I wish I had written it! Both system uses SHA1 hashing and we are working with hashed passwords, so that's all good. The problem is that the legacy system stores PWs in lower case. The real problem is that (the large) userbase don't know that and merrily set and enter their PW using mixed case which means comparison of the (hashed) passwords fails. We dont have the time or energy to educate the userbase at this time so... the expedient solution is to set the raw password entered to the login dialogue to lowercase before it gets hashed.
[2] yes, I know this is crazy on all sorts of levels but we are where we are.
This is a web based system? Why...is it lower casing the password? That greatly reduces the entropy and sounds like a (stupid?) arbitrary restriction.
Please see [2] above. Unfortunately I'm in a hole and not in control of the people with the shovels. The question is, is a technical fix available?
Both PHP and JS (where the hashing in made on the client side) support "toLower" functions so I imagine it should be doable. We just need to completely understand the password flow and apply the necessary code. If I find the time I'll try to check that.
Lainaa
We use the validate_login hook to pass the uid and password entered to the forum to the legacy system for (pre)validation.
If you pass the password as lowercase it might work. ???
$lc_passwrd = strtolower($_POST['passwrd']);
validate_login($uid, $lc_passwrd);
Since you need the password in lower case, you will need to disable the login hashing and then grab the password once it gets to the server.
In Subs.php, inside setupThemeContext(), you'll see a couple of tests that set up $context['disable_login_hashing']. Just force that to true and be done with it and then you'll get the password to play with. Login hashing is of no use to you here.
Lainaus käyttäjältä: Arantor - toukokuu 07, 2014, 08:17:25 AP
Since you need the password in lower case, you will need to disable the login hashing and then grab the password once it gets to the server.
In Subs.php, inside setupThemeContext(), you'll see a couple of tests that set up $context['disable_login_hashing']. Just force that to true and be done with it and then you'll get the password to play with. Login hashing is of no use to you here.
Can't one simply lower the password on client side and send another variable, like passwd_hash_lower instead of disabling login hashing?
Following margarett's lead, Ive found the code that hashes the pw in js, so I can lowercase the password there before it gets hashed. Hopefully that will do, though I get the feeling Arantor's approach is a technically better solution. The idea of throwing switches to disable hashing and working with raw passwords makes me kinda nervous though; in contrast my approach involves hitting one line of code.
I'll hand my solution to the testing bears and see how it goes.
Then I'll go pick a fight with the people with the shovels.
Thanks all
Unless the other system is using SHA1 of the username, password and session id, hashing it clientside is of no use to you and you might as well just turn it off entirely as suggested.
Lainaus käyttäjältä: Arantor - toukokuu 07, 2014, 10:02:45 AP
Unless the other system is using SHA1 of the username, password and session id, hashing it clientside is of no use to you and you might as well just turn it off entirely as suggested.
It does. Everything else generally lines up except for the issue under discussion.
Interesting. Your system is probably insecure, even more so than you might already think.
In any case, you can't even rely on using the lower-case function in JavaScript to lower-case the password properly depending on the characters used and whether you're using ISO or UTF-8 encoding.