Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development CodeIgniter 3.x password hashing doesn't work for all special characters
password hashing doesn't work for all special characters
  • Offline BilltheCat
    Gravity is a harsh mistress.
  • ***
  • Posts: 75
    Threads: 13
    Joined: Feb 2018
    Reputation: 1
#14
08-05-2020, 08:38 AM
(This post was last modified: 08-05-2020, 09:23 AM by BilltheCat.)

(08-05-2020, 12:25 AM)ojmichael Wrote: The first argument to password_verify is the password, and the second argument is the hash. It looks like you have these reversed.

https://www.php.net/manual/en/function.p...verify.php

Good catch!  That was a copy/paste error on my part for sure, and I didn't try a "good" password that would have shown the typo.

So I ran a couple of new tests, one that works, and one that doesn't.  Here's the two log results with the different passwords:


Code:
DEBUG - 2020-08-05 15:18:16 -->
string    = admin
password  = 1aA!@#%^&*()-_=+{};:,<.>

DEBUG - 2020-08-05 15:18:16 -->
user is banned            = no
password in database      = $2y$11$64JQMc2Z3D680ePi/5iee.YvFed4FS1/Jt4CMn3xfXlZjIM1o43/6
supplied password match    = False
Password Validation        = Failed
required level or role    = 1
auth level in database    = 9
auth level equivalant role = admin



Code:
DEBUG - 2020-08-05 15:26:41 -->
string    = admin
password  = KA83**8!d#

DEBUG - 2020-08-05 15:26:41 -->
password in database      = $2y$11$Plsgi0m6m7Np8ZP6VFyAf.C2EqcAbs5ZLjBH9uJZnXtgcZu3yXXVS
supplied password match    = True
Password Validation        = Passed
required level or role    = 1
auth level in database    = 9
auth level equivalant role = admin
(08-04-2020, 11:12 PM)jreklund Wrote: Okay, try to log the password before "password stored in DB". That are the only place I can think about it being changed. As it looks correct on everything else.

I think we have a winner!


user_model log:
Code:
DEBUG - 2020-08-05 15:35:25 -->
password before DB      = 1aA!@#%^&amp;*()-_=+{};:,&lt;.&gt;
DEBUG - 2020-08-05 15:35:25 -->
password stored in DB      = $2y$11$s4QbphN38IDNphpnG/g4d.nvPsCMgjtKi.UEgPNvKerTDu3yH.kk2
DEBUG - 2020-08-05 15:35:25 -->
Password Validation      = Passed


authentication log: 
Code:
DEBUG - 2020-08-05 15:40:05 -->
string    = admin
password  = 1aA!@#%^&*()-_=+{};:,<.>

DEBUG - 2020-08-05 15:40:06 -->
user is banned            = no
password in database      = $2y$11$s4QbphN38IDNphpnG/g4d.nvPsCMgjtKi.UEgPNvKerTDu3yH.kk2
supplied password match    = False
Password Validation        = Failed
required level or role    = 1
auth level in database    = 9
auth level equivalant role = admin
Confirmed.... the issue is that my change_password method is using html_escape, but my login method was not.  Updated the login method, and it works as expected for all passwords.

Thanks for all your helpful suggestions!
Reply


Messages In This Thread
RE: password hashing doesn't work for all special characters - by BilltheCat - 08-05-2020, 08:38 AM



Theme © iAndrew 2016 - Forum software by © MyBB