Autofill password incorrect! Need to login twice. Has this ever been solved???

[Mr Cat]

I've been trying to find a solution this and the forums are filled with multiple threads about it - dating back years!
Still no solution, but people tend to end up writing it off as intermittent or a browser problem.
Yes I've tried all the cookie options and combinations etc.
It happens all the time, and seems like a proper 'bug' to me!

Has anybody finally solved it?

[Arantor]

There have been a spate of bots trying to break into accounts lately, if you're on anything below 1.1.13, when a bot tries to log in as you, it will log you off.

(I've never had a problem with this in the 5 years I've been running SMF)

[StarWars Fan]

I've been trying to find a solution this and the forums are filled with multiple threads about it - dating back years!
Still no solution, but people tend to end up writing it off as intermittent or a browser problem.
Yes I've tried all the cookie options and combinations etc.
It happens all the time, and seems like a proper 'bug' to me!

Has anybody finally solved it?

Nope - I know what you're talking about - it's not the latest brute-force attack bot he's talking about... It's another all together different thing... It is where regular users enter their correct password, but, are told their "password is incorrect"... VERY irritating and never fixed...

[Arantor]

Like I said, I've never encountered that in the last 5 years of running SMF...

[Illori]

please open a separate topic for your issue

[Jessica R]

My problem is similiar when logging in says incorrect username  lol and I know it is correct, I usually have to try it about 3 or 4 times till it takes? Is it a buglette?

[Mr Cat]

Well I thought I must have entered it incorrectly at some stage and the browser (IE8) had remembered that, but no - if you enter the correct password and the auto complete stores it, SMF will tell you it's incorrect the next time you try to log in. It then asks you to re-enter and it accepts it.

If you clear the 'dots' and enter manually it accepts it straight away. It seems SMF has trouble reading data only from a stored password.
Technically, what's the difference?
Is there something that PHP does differently between the two methods maybe?

Some people claim it's IE's fault but there are reports of it happening across all browsers.

It was only a nuisance until now but my logs are starting to fill with password incorrect errors and I don't want to annoy my members!

[Jessica R]

I solved my login multiple times problem by downloading the mod to use your email addy instead of username. Works Great on first try. ty mods

[Mr Cat]

Thanks for that suggestion - I appreciate it
I'd rather not have to add a mod if possible though. Surely this is something fundamental that needs solving?

I've been looking at the code and I'm wondering if the accept-charset="ISO-8859-1" attribute has any part in this...?

[Arantor]

I suspect it's related to the field being saved with the wrong value; the value is encrypted normally before it's sent to SMF...

[Mr Cat]

Hmmm...
I've been playing with an IE autocomplete password cracker. It can read the dots in forms from other websites but not my forum!
Somehow the password is not getting stored correctly. I still wonder if that charset encoding thing is involved?

[Hj Ahmad Rasyid Hj Ismail]

First of all, it may not be safe to use autocomplete.

Second, the only way I know to make it work, for myself that is, is to uninstall the browser software and delete all of its folder in windows program files (if you are using windows). Install it back and try again. Work for me but... I have to do all autocomplete over again 

[Arantor]

I still wonder if that charset encoding thing is involved?

It isn't, no. The way the password is hashed is done specifically to ignore charset type.

Somehow the password is not getting stored correctly.

Did I mention the password was encrypted before it's sent to SMF?

[Mr Cat]

Why does autocomplete work for other sites and not SMF? Why does the password reader work on other sites and not SMF?
I'm trying to work out why SMF is different.
To me, it's logical to assume the problem is in the SMF coding...?

[Arantor]

For the third time: SMF takes your password, and encrypts it.

The original password is NOT sent to the server. So it never gets put into the autocomplete, because it's taken away by Javascript before auto complete can save it.


I mean, if you want your password being sent to the server unencrypted, turn off Javascript, go nuts. Doesn't change the fact that this is done for your security, at the cost of a little inconvenience.

[Hj Ahmad Rasyid Hj Ismail]

Why does autocomplete work for other sites and not SMF? Why does the password reader work on other sites and not SMF?
I'm trying to work out why SMF is different.
To me, it's logical to assume the problem is in the SMF coding...?

To tell you the truth, it works just fine with somebody, and not for others. So basically, it's your PC and how you managed it and the relevant browser you are using. It got nothing to do with SMF IMO. (It's working fine for me in FF and Chrome).

[Mr Cat]

OK you're right - I just tried Firefox and that's OK.
I'll assume it's just IE for now. Other reports (and I've read a lot on here but no fix) say other browsers have problems too.
My PC works fine on other sites, plus IE is still very popular so I'd still like to get to the bottom of it.

[Arantor]

Even though I already told you what the core of the problem is?

Do me a favour, disable Javascript and try it again. Now you'll find you have no login issues, password logged via auto complete and password attackable by password breaking tools.

Or you could continue to ignore what I've been saying...

[Mr Cat]

Sorry - I'm not intentionally ignoring you.

Check this out: It comes close to solving it...
http://www.simplemachines.org/community/index.php?topic=76172.0

[Arantor]

And that talks about doing exactly what I said: disabling the hashing.

[Mr Cat]

OK thanks. It would be nice to know exactly why I have to disable a standard function in SMF without knowing exactly why it's broken in this particular situation, and if and when the situation is likely to occur for my forum users though.

[Arantor]

Because IE doesn't adhere to any kind of standard properly, and tries to store values it's not supposed to. Since the behaviour changes every version, if only slightly, getting a consistent fix has been problematic.

The Javascript tries to do its part to protect your password, and has no ability to influence what mess IE makes of the rest of it.

[Mr Cat]

Thanks I do appreciate your help here.
I was confused by other posts that said other browsers had problems also. I'm on a steep learning curve re SMF and I don't know Javascript

Sounds like it boils down to IE striking again!

[Arantor]

Mostly the same basic thing: there's no standard for auto complete, no guidance for app developers (or browser writers) to follow. It's only just become part of HTML 5 that there's a consistent way to turn the damn thing off, which was a rather nasty bug in SMF 2.0 for a while in Chrome. (Where you change passwords in user profiles and it had a habit of reusing supplied passwords and overwriting other users' passwords if you're an admin...)

There are other factors that you don't see considered in these debates - if you've brought your users from another forum, they'll have to enter their password twice regardless of browser, so that hashing can be turned off (since the hashes from other forums are different) and the password resent in plain for the benefit of re-encoding it later.

[Mr Cat]

The coding solution at the bottom of this thread works for me so far:
http://www.simplemachines.org/community/index.php?topic=95019.0

Thanks again Arantor

[Arantor]

Let me repeat myself again. Maybe this time it'll be heard.

And that talks about doing exactly what I said: disabling the hashing.

It's sent in plain text to the server, any packet sniffer could retrieve it. Forget the whole concept of security over wifi in that case.

It's also stored in your browser in plain text, where even the most basic tools will find it.

[Hj Ahmad Rasyid Hj Ismail]

I need some clarifications; is yours a configuration problem that is solved by repair_settings.php then or you disabled java in IE or you disable login hashing?

[Arantor]

I never had this problem

The solution used above turns off the hashing of the password, which means it's exclusively sent in plain text the whole time. Like I've said multiple times in this thread. This is not good for security, and it's not done that way by default for a reason.

[Mr Cat]

I turned off password hashing and that seems to have fixed it.
You've said "multiple times" that the solution is not good - well could you repeat your solution please?

Because I do need a solution, and I would rather have one that doesn't involve hacking code that's there for a reason.

If you think I'm not listening or being rude (which I'm not - I'm a newbie trying to understand what's being said) then you don't need to get rude. Just don't post.

[Mr Cat]

This appears (to me) to be the same issue:
http://www.simplemachines.org/community/index.php?topic=295188.0

[Arantor]

well could you repeat your solution please?

I didn't say I had a solution. I'm pointing out the problems in that solution, and why you shouldn't use it. You see, in the 5 years I've been using SMF (every day!) I haven't had this problem, across a range of browsers, a range of systems and I've never been able to reproduce it myself. If I had, I would have long since properly started debugging it and supplying the fix to the team, in addition to the other bugs I'd reported with fixes.

[Hj Ahmad Rasyid Hj Ismail]

Thanks for the info. Solutions method noted with its warning too. It seems IE still needs a lot of improvements. I will stay with FF and Chrome until IE shows some significant improvements.

[Dever]

Doesn't seem to me this was ever really solved?

I'm having the exact same problem with 1.1.13 with Firefox and users reporting same problem with Chrome. I definately don't want to disable hashing or risk security in any way. Is there any real solution to this at all?

[Rob Lightbody]

I get this problem in all my browsers (latest IE9, latest Chrome, Latest Firefox and also the browser on my Android Gingerbread 2.3.3 phone) and would love a solution for it.

Forum installed January 2009 with the latest version then, and upgraded incrementally to 1.1.14 since.