AuthMeReloaded icon indicating copy to clipboard operation
AuthMeReloaded copied to clipboard
verified publisher icon AuthMe

Issues/2659: Fix password comparison.

Open Freemandns opened this issue 3 years ago • 3 comments

Hello. This fixes #2659 . I don't know Java well, so maybe I did something wrong.

Freemandns avatar Dec 23 '22 21:12 Freemandns

Please explain how this fixes the issue, it isn't clear to me.

sgdc3 avatar Jan 01 '23 04:01 sgdc3

I have already described problem #2659 . I used the CrazyLogin plugin, which hashes passwords using the CRAZYCRYPT1 algorithm, which in turn uses the user's nickname as a salt. Because of this, the same password will have a different hash if the user uses his nickname in different registers.

For example, my nickname is Freeman, and my password is TEST_TEST. CrazyLogin: hashes my password using the CRAZYCRYPT1 algorithm using the "Freeman" salt, it turns out - 763304530c0eed64841526d157ec1f9b7fc20f7f73da39fbf66ebd6bc228b5b72a945ae2048fb11bd74a772f79beb10baaf1009f9b1222be667d1474b41fbf45 AuthMeReloaded (configured for hashing using the CRAZYCRYPT1 algorithm): converts my nickname to a low case, it turns out "freeman", hashes my password using the CRAZYCRYPT1 algorithm using the "freeman" salt, it turns out - 86ec6077c9a4db611481863f87005f0caf8c7e663ea51e0f88adf2b6929dc1729055c798c6fa4664939c9e342b7e065217c7921e8a9625a7ca7cd0f8f090466c

Since the hashes do not match, after converting the database from CrazyLogin to AuthMeReloaded, my password is always incorrect.

I removed the conversion to lowercase and now this fix works well on my server.

Freemandns avatar Jan 01 '23 10:01 Freemandns

Thanks for the background. But this change breaks all other EncryptionMethod classes that rely on the passed in username being lowercase

ljacqu avatar Jan 14 '23 10:01 ljacqu