Password Hash Changing Automatically

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Post Reply
Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Password Hash Changing Automatically

Post by Demig0d »

I can't find a better place to post this...

I'm using a 3rd party class to allow logging in and account creation from my ASP.NET website. All is well, except for a strange bug that happens on occasion and I can't explain it. I know what my password is... and for any number of reasons I will get logged off, and will not be able to get logged in again even though I know i'm using the correct password.

I checked the password value in the database, and find that it's been rehashed... old value with "$H$9" becomes new pass starting with "$2y$". Does phpbb have some sort of automatic rehashing thing going on?
User avatar
tbackoff
Former Team Member
Posts: 7068
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: Password Hash Changing Automatically

Post by tbackoff »

Demig0d wrote: Sat Apr 13, 2019 8:52 pm I'm using a 3rd party class to allow logging in and account creation from my ASP.NET website.
If possible, try account creation using the user_add() function from phpBB. See if that makes any difference.
Flying is the second best thrill to cheerleaders; being caught is the first.
User avatar
AlfredoRamos
Recognised Extension Developer
Posts: 1302
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo
Contact:

Re: Password Hash Changing Automatically

Post by AlfredoRamos »

It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).

https://github.com/phpbb/phpbb/blob/3.2 ... hashes.php
Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Re: Password Hash Changing Automatically

Post by Demig0d »

AbaddonOrmuz wrote: Sat Apr 13, 2019 11:50 pm It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).

https://github.com/phpbb/phpbb/blob/3.2 ... hashes.php
Exactly. My C# algorithm made the "$H$9" hash, and it was reverted to the blowfish hash somehow.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Password Hash Changing Automatically

Post by canonknipser »

That the intended behaviour of phpBB: whenever a user logs in to phpBB who has a deprecated hash value in the users database (like the ones starting with $H$9), the hash is converted, not reverted, to the current hashing algorithm.
When storing user data in the phpBB user table, you should use the phpBB functions to calculate all relevant values and not some custom coded. It may work for the version of phpBB you developed on, but when version changes, functions and values can change also.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Re: Password Hash Changing Automatically

Post by Demig0d »

It all makes sense now that I've had time to think it over. I just made a major update to my site and brought all of the registration and authentication over to the .NET side. The old site had it the other way around. I've been able to reduce SPAM to ZERO using .NET. This is a bummer. Thanks for the help.
Demig0d
Registered User
Posts: 65
Joined: Sat Aug 13, 2011 6:18 am

Re: Password Hash Changing Automatically

Post by Demig0d »

I feel I'm getting too old for this.

I THOUGHT I found the answer to all of my problems. Only to find that the post was by ME the last time I updated my website.

viewtopic.php?t=2375826

Doh.
Post Reply

Return to “phpBB Custom Coding”