On Sep 6, 2008, at 3:53 PM, Platonides wrote:
Richard K Miller wrote:
It appears the user.user_password field changed in the upgrade from 1.12 to 1.13, but I didn't see any mention of it in the Release Notes.
I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
In MediaWiki 1.13, with password salting turned off, the password 32 byte MD5 hash is now prepended with a letter and the user_id. For example:
76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12) :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
Could someone please point me to information about this change? Is it possible to disable this password prefix so it will continue to be only an MD5 hash?
It was documented three months ago on wikitech-l. Shoul dbe on release notes, though. http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503
In the new format, you would need to prefix with ":A:" the md5 hashes. You probably need to modify crypt() on User.php to avoid generation of passwords in the new format.
Thanks for this update.
Would it make sense to introduce a new configuration directive to indicate the the password is unsalted AND unprefixed? For example, $wgPasswordPrefix = false ?
Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include these: 1. Modify crypt() in User.php (not ideal) 2. Modify and recompile mod_auth_mysql (not ideal) 3. Create a MySQL VIEW that returns user_name and the latter portion of user_password (my current solution) 4. Introduce a new configuration directive, such as $wgPasswordPrefix