Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums External Resources Addins Community Auth - password more than 8 characters
Community Auth - password more than 8 characters
  • Offline ladrob
    Newbie
  • *
  • Posts: 1
    Threads: 1
    Joined: Dec 2015
    Reputation: 0
#1
12-13-2015, 08:04 AM

Hi!
I've just realized, that there is no matter what characters are over 8 sign in my passwords.

E. g. with password: Admin1234 also will match Admin123 and Admin1235.

In my Community Auth configuration I have set i authentication.php:
Code:
$config['min_chars_for_password'] = 8;
$config['max_chars_for_password'] = 256;

Is this Community Auth bug? Or something misconfigured from my side?

I use CodeIgniter 3.0

Thanks for any hints.
Reply
  • Offline skunkbad
    Senior Citizen
  • *****
  • Posts: 1,300
    Threads: 63
    Joined: Oct 2014
    Reputation: 86
#2
12-13-2015, 11:40 AM
(This post was last modified: 12-13-2015, 01:51 PM by skunkbad.)

I cannot reproduce this problem you are having. I tried creating a user with the password "Admin1234", and then tried logging in with "Admin123" and "Admin12345", and was not able to log in.

1) Are you using the current version of Community Auth? It is available here:
https://bitbucket.org/skunkbad/community...eigniter-3

2) Community Auth specifically uses PHP's native crypt function to hash passwords. The hash type used is CRYPT_BLOWFISH, with a cost parameter of 09. According to the PHP docs, if on PHP 5.3.7+, the salt should start with $2y$. CodeIgniter, however, says that it is compatible with PHP 5.2.4, and Community Auth should be compatible with PHP 5.3+, so it will use $2a$ for now. You should feel free to look at the crypt documentation, and adjust the salt as needed: http://php.net/manual/en/function.crypt.php. If you are using PHP 5.5+, you might even switch to using PHP's password hash function, as recommended: http://php.net/manual/en/function.password-hash.php.

3) It looks like CRYPT_BLOWFISH requires a salt that has 22 characters after the cost parameter. Right now the random salt generator is passing 32 characters. I'll double check that this isn't a problem.

4) According to the PHP docs, CRYPT_BLOWFISH supports a maximum string length of 72 characters. The max password length config setting in Community Auth should probably be updated, since 256 would just be truncated to 72 (but certainly not 8).

5) I am unsure if different operating systems, like Windows, would have limitations in regards to the hashing. I can't test this, however, because I don't have any Windows machines laying around. My development environments are all Ubuntu 14.04.

I like the idea of Community Auth making it easier to adjust the hash type and cost parameters, perhaps based on the PHP version. For now, take a look at the hash_passwd function in the Authentication.php library, located in the libraries directory of Community Auth. If you read the PHP docs page for crypt, you'll see that the hashing can be easily modified to suit your needs.
Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3
Reply




Theme © iAndrew 2016 - Forum software by © MyBB