User settings password change locks out user if saltedpasswords is not configured to allow legacy passwords
If saltedpasswords is configured to disallow old md5 passwords and a user changes his/her password via the User Settings module, the user locks herself out of the BE.
The reason is that the User Settings dialog still creates old md5 passwords which are converted during the next login if saltedpasswords is configured to do so.
Updated by Markus Klein about 7 years ago
What happens here¶
EXT:saltedpasswords is loaded before EXT:setup
$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';, but
$GLOBALS['TYPO3_USER_SETTINGS'] does not exist yet.
$GLOBALS['TYPO3_USER_SETTINGS'] and overwrites
$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = 'md5';
This causes the User Settings Tool to generate a legacy md5 password hash which is written into the DB.
During login the Authentication Service detects the old password and denies the login, if EXT:saltedpasswords is configured to force salted passwords in BE mode.
Setting a dependency of EXT:saltedpasswords to EXT:setup should ensure that setup is loaded first. But it does NOT!
The problem is that EXT:saltedpasswords is a protected system extension whereas EXT:setup is not.
Package Manager will therefore rearrange the loading order and EXT:setup is second again.
So we also need to set EXT:setup as protected to really get the right loading order.