Password Format

  • Resolved emeraldsanctum

    (@emeraldsanctum)


    7 years, 8 months ago

    The main issue is that my password isn’t just stored in SHA1 format alone. My password is actually the username:password in SSH1 together “:” included.

    This is how I usually have to validate
    SELECT SHA1(CONCAT(UPPER(username), ‘:’, UPPER(<pass>)));

    So for example if I bobsmith want to login with the password Test123 using your application right now I can but I have to enter in things like

    Username : bobsmith
    Password : BOBSMITH:TEST123

    Then I will be able to login correctly.

    Any plans on allowing the use of variables like $username:$password inside of a text box that then uses the SHA1 hash.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author tbenyon

    (@tbenyon)

    7 years, 8 months ago

    Hey @emeraldsanctum,

    This is a very specific use case. I don’t know why you’ve got a system that stores the username with the password but this is certainly not typical practice.

    If I understand correctly, you are concatenating username, a colon and the password and then using a SHA1 hash on that entire string? If this is true, I imagine this has be done to prevent rainbow attacks by using the username and colon as a salt when you hash the password. Not helpful now, but I would recommend that the old system should be using BCRYPT as this will not only handle generating unique salts but is also using a slow algorithm to protect against brute force attacks.

    I don’t really want to clutter the settings of the plugin and do the extra work for a single use case.

    However I would like to offer you a simple solution. If you’re happy to add a single line of code to the plugin you could make this work for just your build.

    The reason I wouldn’t want to do this if I were in your shoes is that as soon as the plugin is updated you would lose this change and have to re-add it. If the core functionality of the file changed in a future update this could also break the system.

    However, if you set the plugin to use the SHA1 hash with no salt and then in the file wordpress_external_login_plugin/login/db.php before the line . . .

    $valid_credentials = exlog_validate_password($password, $userData->{$db_data["dbstructure_password"]}, $user_specific_salt);

    . . . you could add a line something like this . . .

    $password = strtoupper(esc_sql($username)) . ":" . $password;.

    If you’re comfortable with development you could always fork the project from it’s public repository on github: https://github.com/tbenyon/wordpress_external_login_plugin

    You’d have your own copy of the plugin then.

    If you were really keen for this functionality and wanted to make a reasonable donation I’ll look at putting hidden functionality in for you to the actual plugin.

    I’m happy to discuss this further if you think I’m being unreasonable but I think this is a one off use case that is specific to your needs.

    Thanks,

    Tom

    🙂

    Plugin Author tbenyon

    (@tbenyon)

    7 years, 7 months ago

    I haven’t heard back from you so I’m going to mark this as resolved. Feel free to open this back up if you want to discuss it further or need any more help 🙂

    Thanks,

    Tom 🙂

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Password Format’ is closed to new replies.