Uutiset:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu
Advertisement:

Setting raw passwords to lower case

Aloittaja marjorie, toukokuu 07, 2014, 04:09:35 AP

« edellinen - seuraava »
Tulosta
Siirry alas Sivuja1
Käyttäjän toimet

marjorie

toukokuu 07, 2014, 04:09:35 AP Viimeisin muokkaus: toukokuu 07, 2014, 05:00:23 AP käyttäjältä marjorie
For reasons of compatability with legacy systems, we need to set the raw password string as entered by the user in the login template to lowercase[1][2].  Is this possible? We currently use the default SMF theme. Please do PM me if you'd rather not discuss manipulating user PWs on a public forum!

[1] Our user accounts and passwords are managed through a  legacy system. We use the validate_login hook to pass the uid and password entered to the forum to the legacy system for (pre)validation. If it passes, we then (a) automatically register users new to the forum and (b) set the pw to the validated pw string (as existing forum users may have used the change pw facility on the legacy system). Its clever stuff; I wish I had written it! Both system uses SHA1 hashing and we are working with hashed passwords, so that's all good. The problem is that the legacy system stores PWs in lower case. The real problem is that (the large) userbase don't know that and merrily set and enter their PW using mixed case which means comparison of the (hashed) passwords fails. We dont have the time or energy to educate the userbase at this time so... the expedient solution is to set the raw password entered to the login dialogue to lowercase  before it gets hashed.
[2] yes, I know this is crazy on all sorts of levels but we are where we are.

Dragooon

#1
toukokuu 07, 2014, 04:14:44 AP
This is a web based system? Why...is it lower casing the password? That greatly reduces the entropy and sounds like a (stupid?) arbitrary restriction.

marjorie

#2
toukokuu 07, 2014, 04:27:33 AP
Please see [2] above. Unfortunately I'm in a hole and not in control of the people with the shovels. The question is,  is a technical fix available?

margarett

#3
toukokuu 07, 2014, 07:12:49 AP
Both PHP and JS (where the hashing in made on the client side) support "toLower" functions so I imagine it should be doable. We just need to completely understand the password flow and apply the necessary code. If I find the time I'll try to check that.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

LainaaOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Kays

#4
toukokuu 07, 2014, 07:49:04 AP
Lainaa
We use the validate_login hook to pass the uid and password entered to the forum to the legacy system for (pre)validation.

If you pass the password as lowercase it might work. ???

Koodi (example) [Valitse]

$lc_passwrd = strtolower($_POST['passwrd']);
validate_login($uid, $lc_passwrd);


If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

Arantor

#5
toukokuu 07, 2014, 08:17:25 AP
Since you need the password in lower case, you will need to disable the login hashing and then grab the password once it gets to the server.

In Subs.php, inside setupThemeContext(), you'll see a couple of tests that set up $context['disable_login_hashing']. Just force that to true and be done with it and then you'll get the password to play with. Login hashing is of no use to you here.
Holder of controversial views, all of which my own.

Dragooon

#6
toukokuu 07, 2014, 08:41:19 AP
Lainaus käyttäjältä: Arantor - toukokuu 07, 2014, 08:17:25 AP
Since you need the password in lower case, you will need to disable the login hashing and then grab the password once it gets to the server.

In Subs.php, inside setupThemeContext(), you'll see a couple of tests that set up $context['disable_login_hashing']. Just force that to true and be done with it and then you'll get the password to play with. Login hashing is of no use to you here.
Can't one simply lower the password on client side and send another variable, like passwd_hash_lower instead of disabling login hashing?

marjorie

#7
toukokuu 07, 2014, 09:27:54 AP Viimeisin muokkaus: toukokuu 07, 2014, 09:44:22 AP käyttäjältä marjorie
Following margarett's lead, Ive found the code that hashes the pw in js, so I can lowercase the password there before it gets  hashed. Hopefully that will do, though I get the feeling Arantor's approach is a technically better solution. The idea of throwing switches to disable hashing and working with raw passwords makes me kinda nervous though; in contrast my approach involves hitting one line of code.

I'll hand my solution to the testing bears and see how it goes.

Then I'll go pick a fight with the people with the shovels.

Thanks all

Arantor

#8
toukokuu 07, 2014, 10:02:45 AP
Unless the other system is using SHA1 of the username, password and session id, hashing it clientside is of no use to you and you might as well just turn it off entirely as suggested.
Holder of controversial views, all of which my own.

marjorie

#9
toukokuu 07, 2014, 11:36:45 AP
Lainaus käyttäjältä: Arantor - toukokuu 07, 2014, 10:02:45 AP
Unless the other system is using SHA1 of the username, password and session id, hashing it clientside is of no use to you and you might as well just turn it off entirely as suggested.

It does. Everything else generally lines up except  for the issue under discussion.

Arantor

#10
toukokuu 07, 2014, 11:46:29 AP
Interesting. Your system is probably insecure, even more so than you might already think.

In any case, you can't even rely on using the lower-case function in JavaScript to lower-case the password properly depending on the characters used and whether you're using ISO or UTF-8 encoding.
Holder of controversial views, all of which my own.

Tulosta
Siirry ylös Sivuja1
Käyttäjän toimet
Advertisement: