Bug #82048

Can't login with 32 characters password

Added by Tymoteusz Motylewski almost 3 years ago. Updated 3 months ago.

Should have
Target version:
Start date:
Due date:
% Done:


TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Passwords which looks like md5 hash are not working.

1. set md5 like password to fe/be user. eg. 098f6bcd4621d373cade4e832627b4f6 (it has to be 32 chars long, with small letters and digits)
2. try to log in
3. TYPO3 will always return error, login is not possible

the hash created by TYPO3 (the one stored in the db in column password) will begin with "M$", but it should with "$".
Removing the M from the beginning of the hash makes it possible to log in.

The problem is in the typo3/sysext/saltedpasswords/Classes/Evaluation/Evaluator.php
method evaluateFieldValue

$isEnabled = $this->mode ? \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($this->mode) : \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled();
        if ($isEnabled) {
            $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
            $hashingMethod = substr($value, 0, 2);
            $isDeprecatedSaltedHash = ($hashingMethod === 'C$' || $hashingMethod === 'M$');
            /** @var $objInstanceSaltedPW \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
            $objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, $this->mode);
            if ($isMD5) {
                $set = true;
                $value = 'M' . $objInstanceSaltedPW->getHashedPassword($value);

I think evaluateFieldValue should know whether the value comes from db and can be a md5 hash, or comes from direct plain input from user.


#1 Updated by Georg Ringer almost 3 years ago

  • Status changed from New to Accepted

#2 Updated by Riccardo De Contardi over 1 year ago

  • Category set to Authentication

#3 Updated by Georg Ringer 3 months ago

  • Status changed from Accepted to Needs Feedback

can you recheck on master? saltedpasswords has been migrated into core and md5 doesn't work anymore. I can't reproduce this anymore. thx

#4 Updated by Riccardo De Contardi 3 months ago

I tried with 10.4.0-dev (latest master) and the password suggested in the description (098f6bcd4621d373cade4e832627b4f6) and I was able to log in.

#5 Updated by Tymoteusz Motylewski 3 months ago

  • Status changed from Needs Feedback to Closed

let's close it then

Also available in: Atom PDF