Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Mediawiki

user_password field changed in 1.13?

  

 
Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded


richardkmiller at gmail

Sep 6, 2008, 12:59 PM

Post #1 of 5 (416 views)
Permalink
user_password field changed in 1.13?
It appears the user.user_password field changed in the upgrade from
1.12 to 1.13, but I didn't see any mention of it in the Release Notes.

I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to
the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)

In MediaWiki 1.13, with password salting turned off, the password 32
byte MD5 hash is now prepended with a letter and the user_id. For
example:

76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12)
:B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)

Could someone please point me to information about this change? Is it
possible to disable this password prefix so it will continue to be
only an MD5 hash?

Best regards,
Richard



_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Platonides at gmail

Sep 6, 2008, 2:53 PM

Post #2 of 5 (397 views)
Permalink
Re: user_password field changed in 1.13? [In reply to]
Richard K Miller wrote:
> It appears the user.user_password field changed in the upgrade from
> 1.12 to 1.13, but I didn't see any mention of it in the Release Notes.
>
> I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to
> the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
>
> In MediaWiki 1.13, with password salting turned off, the password 32
> byte MD5 hash is now prepended with a letter and the user_id. For
> example:
>
> 76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12)
> :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
>
> Could someone please point me to information about this change? Is it
> possible to disable this password prefix so it will continue to be
> only an MD5 hash?
>
> Best regards,
> Richard

It was documented three months ago on wikitech-l. Shoul dbe on release
notes, though.
http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503

In the new format, you would need to prefix with ":A:" the md5 hashes.
You probably need to modify crypt() on User.php to avoid generation of
passwords in the new format.


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


richardkmiller at gmail

Sep 8, 2008, 10:11 AM

Post #3 of 5 (384 views)
Permalink
Re: user_password field changed in 1.13? [In reply to]
On Sep 6, 2008, at 3:53 PM, Platonides wrote:

> Richard K Miller wrote:
>> It appears the user.user_password field changed in the upgrade from
>> 1.12 to 1.13, but I didn't see any mention of it in the Release
>> Notes.
>>
>> I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to
>> the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
>>
>> In MediaWiki 1.13, with password salting turned off, the password 32
>> byte MD5 hash is now prepended with a letter and the user_id. For
>> example:
>>
>> 76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12)
>> :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
>>
>> Could someone please point me to information about this change? Is it
>> possible to disable this password prefix so it will continue to be
>> only an MD5 hash?
>>
> It was documented three months ago on wikitech-l. Shoul dbe on release
> notes, though.
> http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503
>
> In the new format, you would need to prefix with ":A:" the md5 hashes.
> You probably need to modify crypt() on User.php to avoid generation of
> passwords in the new format.

Thanks for this update.

Would it make sense to introduce a new configuration directive to
indicate the the password is unsalted AND unprefixed? For example,
$wgPasswordPrefix = false ?

Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include
these:
1. Modify crypt() in User.php (not ideal)
2. Modify and recompile mod_auth_mysql (not ideal)
3. Create a MySQL VIEW that returns user_name and the latter portion
of user_password (my current solution)
4. Introduce a new configuration directive, such as $wgPasswordPrefix



_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Platonides at gmail

Sep 11, 2008, 9:58 AM

Post #4 of 5 (369 views)
Permalink
Re: user_password field changed in 1.13? [In reply to]
Richard K Miller wrote:
> Thanks for this update.
>
> Would it make sense to introduce a new configuration directive to
> indicate the the password is unsalted AND unprefixed? For example,
> $wgPasswordPrefix = false ?
>
> Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include
> these:
> 1. Modify crypt() in User.php (not ideal)
> 2. Modify and recompile mod_auth_mysql (not ideal)
> 3. Create a MySQL VIEW that returns user_name and the latter portion
> of user_password (my current solution)
> 4. Introduce a new configuration directive, such as $wgPasswordPrefix

The change to the passwords was precisely to avoid trouble with password
formats. IMHO the best fit would be #2 adding some new directives and
applied to official mod_auth_mysql


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


richardkmiller at gmail

Sep 11, 2008, 7:16 PM

Post #5 of 5 (363 views)
Permalink
Re: user_password field changed in 1.13? [In reply to]
On Sep 11, 2008, at 10:58 AM, Platonides wrote:

> Richard K Miller wrote:
>> Thanks for this update.
>>
>> Would it make sense to introduce a new configuration directive to
>> indicate the the password is unsalted AND unprefixed? For example,
>> $wgPasswordPrefix = false ?
>>
>> Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include
>> these:
>> 1. Modify crypt() in User.php (not ideal)
>> 2. Modify and recompile mod_auth_mysql (not ideal)
>> 3. Create a MySQL VIEW that returns user_name and the latter portion
>> of user_password (my current solution)
>> 4. Introduce a new configuration directive, such as $wgPasswordPrefix
>
> The change to the passwords was precisely to avoid trouble with
> password
> formats. IMHO the best fit would be #2 adding some new directives and
> applied to official mod_auth_mysql

"Trouble with password formats" is relative. For my wiki, it was more
trouble to have to deal with the new user_password prefix. :)

I wouldn't expect mod_auth_mysql to support an option for working
specifically with MediaWiki, and even a more general "ignore x
characters prefix" option wouldn't be widely used.

For backward compatibility, a $wgPasswordBackwardCompatibility could
be set to true. The patch would look like this:

http://pastebin.com/f18b27dc0

(Additional code would be needed for wikis that have already migrated
passwords to the new format.)


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.