Page 1 of 1

Password Hash Changing Automatically

Posted: Sat Apr 13, 2019 8:52 pm
by Demig0d
I can't find a better place to post this...

I'm using a 3rd party class to allow logging in and account creation from my ASP.NET website. All is well, except for a strange bug that happens on occasion and I can't explain it. I know what my password is... and for any number of reasons I will get logged off, and will not be able to get logged in again even though I know i'm using the correct password.

I checked the password value in the database, and find that it's been rehashed... old value with "$H$9" becomes new pass starting with "$2y$". Does phpbb have some sort of automatic rehashing thing going on?

Re: Password Hash Changing Automatically

Posted: Sat Apr 13, 2019 10:01 pm
by tbackoff
Demig0d wrote:
Sat Apr 13, 2019 8:52 pm
I'm using a 3rd party class to allow logging in and account creation from my ASP.NET website.
If possible, try account creation using the user_add() function from phpBB. See if that makes any difference.

Re: Password Hash Changing Automatically

Posted: Sat Apr 13, 2019 11:50 pm
by AbaddonOrmuz
It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).

https://github.com/phpbb/phpbb/blob/3.2 ... hashes.php

Re: Password Hash Changing Automatically

Posted: Sun Apr 14, 2019 3:25 am
by Demig0d
AbaddonOrmuz wrote:
Sat Apr 13, 2019 11:50 pm
It's not a bug, phpBB has a cron task that updates password hashes to use a more secure algorithm, You should update your application to use a newer password hashing algorithm instead, $2y$ is for blowfish (bcrypt).

https://github.com/phpbb/phpbb/blob/3.2 ... hashes.php
Exactly. My C# algorithm made the "$H$9" hash, and it was reverted to the blowfish hash somehow.

Re: Password Hash Changing Automatically

Posted: Sun Apr 14, 2019 9:04 pm
by canonknipser
That the intended behaviour of phpBB: whenever a user logs in to phpBB who has a deprecated hash value in the users database (like the ones starting with $H$9), the hash is converted, not reverted, to the current hashing algorithm.
When storing user data in the phpBB user table, you should use the phpBB functions to calculate all relevant values and not some custom coded. It may work for the version of phpBB you developed on, but when version changes, functions and values can change also.

Re: Password Hash Changing Automatically

Posted: Mon Apr 15, 2019 2:27 am
by Demig0d
It all makes sense now that I've had time to think it over. I just made a major update to my site and brought all of the registration and authentication over to the .NET side. The old site had it the other way around. I've been able to reduce SPAM to ZERO using .NET. This is a bummer. Thanks for the help.

Re: Password Hash Changing Automatically

Posted: Mon Apr 15, 2019 2:32 am
by Demig0d
I feel I'm getting too old for this.

I THOUGHT I found the answer to all of my problems. Only to find that the post was by ME the last time I updated my website.

viewtopic.php?t=2375826

Doh.