Good passwords won't work

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

I have had troubles changing my password. I was logged in as an admin, but my user just wouldn't login. God knows what changed, but my site has been working fine until today. I started seeing the GFX check, yet I had set this to 0 for no graphics, and confirmed it was working by outputting the value in my main-menu block.

Anyway - so i tried to reset my password and all was ok again. I have now tried to set it back to my usual password and this contains a "." and a ">" and when i go to my user menu -> user info and change the password - it thinks that the passwords do not match. I realise sometimes you can slip up, but i typed them about 4 times and it still said that they mismatch? What gives

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

still using the same block?
a gfx check doesnt suddenly goes on or off Smile

and password lenght set somewhere?

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

I have a block called block-main.menu.php

the ONLY thing I altered was the nuke sentinel setting to turn the admin auth to off because a few of them needed to setup new passwords. I hate how it's plaintext and that you can't just copy the md5 hash from their user account over to the admin account in the DB. That's what i did to create new authors on the site so why does the password have to be plainetext.

Anyway I copied the graphic check section from the raven login block to this main-menu module, and that has stopped the graphi check from appreaing (since the config file is set to 0) but I still can't login. I can login as an admin, and I can see in the DB that my password hash is identical to the user password hash - so I can only guess that something was gone terribly wrong.

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

well generate it in phpmyadmin again..

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

So if I copy the user's hash from prefix_users to prefix_ whatever the sentinel bit is - then I don't need the plaintext bit?

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

listen...if you installed nuke with same admin username and pass you can just grab the md5 passfrom the authors table.
check with yours in the user table if they are the same.

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

Yeah - I already checked that. It doesn't let me login. I can go in fine as an admin, but not as a user. When I reset my password to and get the abc123def type pass e-mailed to me - then it works fine. But I tried to change my pass back to what it used to be here:

it simple says that they do not match

Whilst my block is old and was from the standard phpNuke type setup, the Your_Account index.php was a default ravenscript one. Can you guys test that and see if you have a . or a > or < in your password if it will let you change them?

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

Also just used the admin panel to make a new user with the same password that I want to set for my account. Again it's identical in the database - but I just can't login with it.

So much for using hard passwords!

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

try cleaning your computer internet history,including cookies etc...
then try again,if all fails let someone else have a look.

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

yeah - i dumped everything, saved passwords, saved form details, cookies, history, and downloaded files / cached content.

I'm sure it's a code issue and not the above because I can login fine with a normal text password - but it's just screwed on the user login with a "hardcore" password

it's 8 chars so it's within the length - but the fact that the your account / your info section thinks the passwords are different - leads me to think that the symbols I use are effecting the checking process

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

Symbols ?

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

< > . etc

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

thats not smart

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

to use in a password? well maybe now - but it had been ok before, and I had used the same one for nuke 7.4 and 7.6 so why should it be different now!??!

I can just use a text / numerical pass - but symbols are better still

Can you give it a go on your site - just try changing your pass and adding say a < or > to it and see if it thinks they are different - and if that's ok - if you can login still

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

lol...im not gonna change anything...
i never understand why people have to use these weird symbols,you could easely use 6vb6wyy , or aqzpftcmk, but why <.&*^% kaching!

#>

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

true - but i'm more concerned with why it worked before, and not now - and also, why it's ok for my admin password still?

Register on my site and have a go ?

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

well im not gonna,just change your pass into something deifferent,and without weird symbols..

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

I found the section of code that's causing the error:

$user_password = htmlspecialchars(stripslashes($user_password));

This wasn't present in 7.4 and I assume it's in place to stop malicious code. The only thing is - I outputted my password after it had removed the special chars - and it was just the same as the $vpass value? so what gives?!

The idea of symbols is just good practice in keeping secure / complex passwords.

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

well everything has a reason..

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

Not being rude - but I really want to try and fix this so if you can save the comments and replace them with some useful code...

montego · Posted: Sat Apr 01, 2006 2:20 pm

These should be the only characters that would not work with this function: "&", "<" and ">" . Yes, it IS a security concern and there for a reason. Looks like this changed line came from the 3.1 or 3.2 patches? Anyways, I know it does not sound like a good solution, but we're only talking three characters that you should stay away from.

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

I think it must have worked for me in the past on raven nuke because I was using my old index.php file from nuke 7.4 - having said that - when I was testing earlier - that file gave me an error. Anyway - I made the changes back and will use a different password. Funny how it wasn't changed on the admin login?

Anyway - one final thing came up in relation to passwords:

I have already setup my authors by making copies of the users I want as admins into the nuke_authors table. I could then set their admin usernames / passwords to be the same as their normal user logins by just copying the name / password hash from the nuke_users table.

For the sentinel part - this doesn't work as there is a plaintext password and an encrypted pass as well as the MD5 hash - I can't simply copy them over - and apparently they can't get access to the sentinel part to set this up themselves (HTTP Auth is turned off for the moment)

Any ideas?

montego · Posted: Sun Apr 02, 2006 7:38 am

The plain text password, I believe (I did not code it so am making an assumption), was necessary to work with HTTPAuth/CGIAuth feature. You have to given them their passwords or ask them for what they want them to be. Sorry, that is just how the tool was designed.

Also, you would most certainly NOT want to make your NS password the same as your other ones... (for the paranoid like me).

Blind-Summit · Hangin' Around Joined: Mar 27, 2006 Posts: 27

I had to alter my admin (God password) and then let them set their own passwords. Perhaps setting a global login for NS would be better, as you advise.

Thanks for your help Smile

montego · Posted: Tue Apr 04, 2006 7:42 am

You are most welcome...