It appears the user.user_password field changed in the upgrade from 1.12 to 1.13, but I didn't see any mention of it in the Release Notes.
I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
In MediaWiki 1.13, with password salting turned off, the password 32 byte MD5 hash is now prepended with a letter and the user_id. For example:
76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12) :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
Could someone please point me to information about this change? Is it possible to disable this password prefix so it will continue to be only an MD5 hash?
Best regards, Richard
Richard K Miller wrote:
It appears the user.user_password field changed in the upgrade from 1.12 to 1.13, but I didn't see any mention of it in the Release Notes.
I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
In MediaWiki 1.13, with password salting turned off, the password 32 byte MD5 hash is now prepended with a letter and the user_id. For example:
76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12) :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
Could someone please point me to information about this change? Is it possible to disable this password prefix so it will continue to be only an MD5 hash?
Best regards, Richard
It was documented three months ago on wikitech-l. Shoul dbe on release notes, though. http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503
In the new format, you would need to prefix with ":A:" the md5 hashes. You probably need to modify crypt() on User.php to avoid generation of passwords in the new format.
On Sep 6, 2008, at 3:53 PM, Platonides wrote:
Richard K Miller wrote:
It appears the user.user_password field changed in the upgrade from 1.12 to 1.13, but I didn't see any mention of it in the Release Notes.
I'm using $wgPasswordSalt = false so I can connect mod_auth_mysql to the user table for password protection. (See my blog post at http://tinyurl.com/y7ue8k)
In MediaWiki 1.13, with password salting turned off, the password 32 byte MD5 hash is now prepended with a letter and the user_id. For example:
76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.12) :B:1:76cecfa967423834abdbd1c8a8ac4125 (user_password in 1.13)
Could someone please point me to information about this change? Is it possible to disable this password prefix so it will continue to be only an MD5 hash?
It was documented three months ago on wikitech-l. Shoul dbe on release notes, though. http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/38503
In the new format, you would need to prefix with ":A:" the md5 hashes. You probably need to modify crypt() on User.php to avoid generation of passwords in the new format.
Thanks for this update.
Would it make sense to introduce a new configuration directive to indicate the the password is unsalted AND unprefixed? For example, $wgPasswordPrefix = false ?
Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include these: 1. Modify crypt() in User.php (not ideal) 2. Modify and recompile mod_auth_mysql (not ideal) 3. Create a MySQL VIEW that returns user_name and the latter portion of user_password (my current solution) 4. Introduce a new configuration directive, such as $wgPasswordPrefix
Richard K Miller wrote:
Thanks for this update.
Would it make sense to introduce a new configuration directive to indicate the the password is unsalted AND unprefixed? For example, $wgPasswordPrefix = false ?
Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include these:
- Modify crypt() in User.php (not ideal)
- Modify and recompile mod_auth_mysql (not ideal)
- Create a MySQL VIEW that returns user_name and the latter portion
of user_password (my current solution) 4. Introduce a new configuration directive, such as $wgPasswordPrefix
The change to the passwords was precisely to avoid trouble with password formats. IMHO the best fit would be #2 adding some new directives and applied to official mod_auth_mysql
On Sep 11, 2008, at 10:58 AM, Platonides wrote:
Richard K Miller wrote:
Thanks for this update.
Would it make sense to introduce a new configuration directive to indicate the the password is unsalted AND unprefixed? For example, $wgPasswordPrefix = false ?
Work-arounds for connecting mod_auth_mysql to MediaWiki 1.13 include these:
- Modify crypt() in User.php (not ideal)
- Modify and recompile mod_auth_mysql (not ideal)
- Create a MySQL VIEW that returns user_name and the latter portion
of user_password (my current solution) 4. Introduce a new configuration directive, such as $wgPasswordPrefix
The change to the passwords was precisely to avoid trouble with password formats. IMHO the best fit would be #2 adding some new directives and applied to official mod_auth_mysql
"Trouble with password formats" is relative. For my wiki, it was more trouble to have to deal with the new user_password prefix. :)
I wouldn't expect mod_auth_mysql to support an option for working specifically with MediaWiki, and even a more general "ignore x characters prefix" option wouldn't be widely used.
For backward compatibility, a $wgPasswordBackwardCompatibility could be set to true. The patch would look like this:
(Additional code would be needed for wikis that have already migrated passwords to the new format.)
mediawiki-l@lists.wikimedia.org