Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.8.4] problem with encpass and repeated characters #811

Open
wilkowy opened this issue May 22, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@wilkowy
Copy link

commented May 22, 2019

This should not be the correct behaviour, there should be some variation involved:

.tcl encpass x
Tcl: +3Fi9q.glmnd0
.tcl encpass xx
Tcl: +3Fi9q.glmnd0
.tcl encpass xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Tcl: +3Fi9q.glmnd0
@wilkowy

This comment has been minimized.

Copy link
Author

commented May 24, 2019

Not to mention this:

.tcl encrypt x y
Tcl: 0Dy2T0A7ydw1
.tcl encrypt xx y
Tcl: 0Dy2T0A7ydw1
.tcl encrypt xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx y
Tcl: 0Dy2T0A7ydw1

.tcl decrypt x 0Dy2T0A7ydw1
Tcl: y
.tcl decrypt xx 0Dy2T0A7ydw1
Tcl: y
.tcl decrypt xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 0Dy2T0A7ydw1
Tcl: y
@thommey

This comment has been minimized.

Copy link
Member

commented May 24, 2019

These are valid shortcomings of the current password hashing algorithm, thank you for your report. We are planning to fix this with something similar to #356 in the future (still in the discussion phase on how to introduce it without breaking existing userfiles)

@wilkowy

This comment has been minimized.

Copy link
Author

commented May 31, 2019

@thommey if I may suggest here how to keep backward compatibility for old passwords and introduce new hash/cbc as default.

  1. As I've seen cbc encrypted strings have * prefix. Just introduce the same thing for passwords for new algorithms. Keep old + prefix to recognize old passwords and * (or any other prefix) for new ones.
  2. Now we can differentiate between new and old passwords, but encpass is one way only and we lack original plaintext password.
  3. So wait until the user uses a command like /msg op/voice or any other requiring password, or (s)he changes password by self and silently upgrade the password in userfile. At any point new algorithms can be set as default ones and old + passwords can be still kept for several releases until 1.9.x or later. The release cycle is long enough so it is possible that all/most active users will have upgraded their passwords by that time.
@wilkowy

This comment has been minimized.

Copy link
Author

commented May 31, 2019

PS. Of course password has to be upgraded only after it was positively validated for old algorithm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.