!IMPORTANT to fix: strange problem with passwords on hashing some chars if ...

Post by **axew3** » Sat Feb 18, 2017 10:43 am

I've find out that there is still a problem about password when we go to change it in WP profile.
If it contain characters like

Code: Select all

the pass fail to be recognized in phpBB (if i try to login with this pass in phpBB). And viceversa.

the interesting is that hashes are correctly stored as same in any case. That let me at moment really confused.
anyone know how this could never happen?

When pass are changed, are correctly updated on both WP and phpBB (if on WP on fly, if done in phpBB when user come to login or as logged visit wp).

Added: but look below what happen, and why passwords aren't correctly recognized if:

(1.6.2 has just been released in the while)...

Post by **axew3** » Sun Feb 19, 2017 1:11 am

Test Pass:
zVg%)4hK$wvDhEmr^?=)&

changed/hashed on WP (updated, result same on both):

$2a$08$2aCqkcJYCM9lcUaZopqz2usSZoIb.Tw/Cj1e.1D8N7oWQzB4g7a1q
$2a$08$2aCqkcJYCM9lcUaZopqz2usSZoIb.Tw/Cj1e.1D8N7oWQzB4g7a1q

work if login on WP, fail phpBB

changed/hashed in phpBB (updated, result same on both with same test pass):

$2y$10$PCfuM2rQOTJNfJ01Ms0hfeSkGPnq9pVZ6/WIOvj/eUTGYpKha9i0O
$2y$10$PCfuM2rQOTJNfJ01Ms0hfeSkGPnq9pVZ6/WIOvj/eUTGYpKha9i0O

work if login phpBB, not work if login WP

password change in phpBB OR WP, a different pass like this (that not contain some chars type, and is correctly updated also in this case):
Test Pass:
zVg%)4hK$wvDhEm

Hashed and respectively tested on both:
work on both. Anyone have an idea?

Post by **axew3** » Sun Feb 19, 2017 8:31 pm

the question has been fortunately kindly answered at phpBB.com:

phpBB no longer uses phpass, though we never supported the blowfish format of phpass. In phpBB 3.1, we moved to bcrypt and continue to use it: https://github.com/phpbb/phpbb/blob/3.2 ... bcrypt.php
While phpBB can support the $2a$ format of bcrypt, yours uses a cost factor of 8, while we require one of at least 10. That would cause the password hash to be recomputed and converted to the $2y$ format, which Wordpress would not be able to use.

https://www.phpbb.com/community/viewto ... #p14662636

Post by **axew3** » Tue Feb 21, 2017 10:58 pm

the problem has been resolved and fixed on next coming soon 1.6.3.

Post by **axew3** » Wed Feb 22, 2017 12:50 pm

WP_w3all 1.6.3 has been released and fix definitively the password problem.

www programming