Issue with Joomla\Crypt\Password\Simple

47 views
Skip to first unread message

Elena Cenacchi

unread,
Sep 22, 2016, 4:52:01 AM9/22/16
to Joomla! Framework Development
Hi,

I am crypting user passwords, before storing them in the database using the following code in my Model:

use Joomla\Crypt\Password\Simple;

$this->simplepw=new Simple();       
$pw=$this->simplepw->create($user['password'],'Joomla');

Anyhow, I notice that often the password is generated in a wrong format: the string contains invalid characters like . / ecc... If I repeat the procedure one or two times, then finally the password is generated in the correct format, and everything works.
A practical example: let's say I want to store the "test" password:

1st trial stores: 44a561c12a9d6a1279058e2a5e337648:z8k6H3pccyCeso0VJgntlpjs/g2S9OXq
2ns trial stores: f084288fddba112578d2f6d9a37cee0f:cB609FIrfx3E0R8lGp65WNi.4FYuYf8/
3rd trial stores: b41d97a35f4ed1015ca93738410098c5:JrjTpJk.xncGGf8.Anoaory4LQpQSQRN
4th trial stores: 563e29fa45b0b5dd2cd1afda6172eba4:XjLZyV9gIC9ZjfRLBD26artyANnsxKGD
(and this is valid)

The behavior is random, some time the 1st trial is ok, some others it takes more shots (usually < 5).

Do you have any hint about why this happens?

Elena




Michael Babker

unread,
Sep 22, 2016, 5:02:04 AM9/22/16
to joomla-dev...@googlegroups.com
The suggestion is to not use it as that interface is deprecated.  Use PHP 5.5's native password hashing API, available as a polyfill via Composer for PHP 5.3.7+.
--
Framework source code: https://github.com/joomla-framework
Visit http://developer.joomla.org for more information about developing with Joomla!
---
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-framework+unsub...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-framework.


--
- Michael

Please pardon any errors, this message was sent from my iPhone.

Elena Cenacchi

unread,
Sep 22, 2016, 5:31:37 AM9/22/16
to Joomla! Framework Development
Hi Michael,

Thanks for the answer!
Do you mean using the native PHP hash functions: http://php.net/manual/en/function.password-hash.php

This certainly can be a solution, but, since it's a PHP core function, couldn't it be integrated inside the Joomla! Framework library?

Currently the Simple.php performs the following:

....
case PasswordInterface::JOOMLA:
   $salt = $this->getSalt(32);
   return md5($password . $salt) . ':' . $salt;

Can't the class be updated so to use password_hash() instead?

Michael Babker

unread,
Sep 22, 2016, 5:48:47 AM9/22/16
to joomla-dev...@googlegroups.com
We elected to simply deprecate that API in favor of the native PHP API, we felt there wasn't a need to have a wrapping layer around these native functions.

Part of it is because of how "legacy" hashes are generated and their strengths being not that strong.  The Joomla password type maps to the older style MD5 based hashes which should only be used for migrating legacy users forward today.  The verification part of that does use the native API for Blowfish (BCrypt) passwords, but create uses PHP's crypt() function.

In the CMS, the JUserHelper class keeps handling password generation and verification for different types (and uses the native functions as appropriate) since it is still supporting upgrading users with older hash types to the current standard.  At the Framework level, we'd rather encourage users to simply use the PHP API, follow the best practices associated with that API, and be less reliant on a wrapping layer such as the Joomla\Crypt\PasswordInterface and the Simple class implementing it.


On Thursday, September 22, 2016, Elena Cenacchi <elena.c...@gmail.com> wrote:
--
Framework source code: https://github.com/joomla-framework
Visit http://developer.joomla.org for more information about developing with Joomla!
---
You received this message because you are subscribed to the Google Groups "Joomla! Framework Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-framework+unsub...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-framework.

Elena Cenacchi

unread,
Sep 22, 2016, 6:00:58 AM9/22/16
to Joomla! Framework Development

I see, thank for the explanation.
Does this means that if I implement both the PHP native create and verify, the latter will be compatible also with the previously generated password? Or do they have to be re-saved with the updated function ?




Reply all
Reply to author
Forward
0 new messages