Bug #82048

Can't login with 32 characters password

Added by Tymoteusz Motylewski almost 4 years ago. Updated about 1 year ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Passwords which looks like md5 hash are not working.

1. set md5 like password to fe/be user. eg. 098f6bcd4621d373cade4e832627b4f6 (it has to be 32 chars long, with small letters and digits)
2. try to log in
3. TYPO3 will always return error, login is not possible

the hash created by TYPO3 (the one stored in the db in column password) will begin with "M$", but it should with "$".
Removing the M from the beginning of the hash makes it possible to log in.

The problem is in the typo3/sysext/saltedpasswords/Classes/Evaluation/Evaluator.php
method evaluateFieldValue

$isEnabled = $this->mode ? \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($this->mode) : \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled();
        if ($isEnabled) {
            $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
            $hashingMethod = substr($value, 0, 2);
            $isDeprecatedSaltedHash = ($hashingMethod === 'C$' || $hashingMethod === 'M$');
            /** @var $objInstanceSaltedPW \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
            $objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, $this->mode);
            if ($isMD5) {
                $set = true;
                $value = 'M' . $objInstanceSaltedPW->getHashedPassword($value);

I think evaluateFieldValue should know whether the value comes from db and can be a md5 hash, or comes from direct plain input from user.


Updated by Georg Ringer almost 4 years ago

  • Status changed from New to Accepted

Updated by Riccardo De Contardi over 2 years ago

  • Category set to Authentication

Updated by Georg Ringer about 1 year ago

  • Status changed from Accepted to Needs Feedback

can you recheck on master? saltedpasswords has been migrated into core and md5 doesn't work anymore. I can't reproduce this anymore. thx


Updated by Riccardo De Contardi about 1 year ago

I tried with 10.4.0-dev (latest master) and the password suggested in the description (098f6bcd4621d373cade4e832627b4f6) and I was able to log in.


Updated by Tymoteusz Motylewski about 1 year ago

  • Status changed from Needs Feedback to Closed

let's close it then

Also available in: Atom PDF