Magento 2 not supporting BCRYPT passwords introduced in SUPEE-11219

[SamJUK]

Preconditions (*)

1. Magento 2.3.4
2. Magento 1.9.3.9 (Patched with SUPEE-11219_CE_1939)

Steps to reproduce (*)

1. Create a user account on a Magento 1 store with SUPEE-11219 Applied
2. Migrate data to Magento 2 using data migration tool
3. Try to login with the user details

Expected result (*)

1. Customer who set their password after SUPEE-11219 was applied can log into account without reseting their password.

Actual result (*)

1. Customer gets an invalid password error.

Additional Information 2.4-develop

This case has been verified for current 2.4-develop and was confirmed here that issue still actual

Rechecked with:
Magento 1.9.3.9 and SUPEE-11219_CE_1939
Data Migration tool 2.3.4
Magento 2.4-develop

Actual Result:

After migrating, the customers appeared in Magento 2.4- develop Customers - All Customers grid
But Sign In to Storefront fails
The customer is still able to Sign In Magento 1.9.3.9 Storefront

[magento-deployment-service]

Thanks for opening this issue!

[m2-assistant]

Hi @SamJUK. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

@SamJUK do you confirm that you were able to reproduce the issue on vanilla Magento instance following steps to reproduce?

• yes
• no

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[m2-assistant]

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Add label Issue: Confirmed once verification is complete.

• 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Bravo]

@sdzhepa The issue is reproducible if migrate to Magento 2.4-develop

Rechecked with:
Magento 1.9.3.9 and SUPEE-11219_CE_1939
Data Migration tool 2.3.4
Magento 2.4-develop

Actual Result:

After migrating, the customers appeared in Magento 2.4- develop Customers - All Customers grid
But Sign In to Storefront fails
The customer is still able to Sign In Magento 1.9.3.9 Storefront

[magento-engcom-team]

✅ Confirmed by @sdzhepa
Thank you for verifying the issue. Based on the provided information internal tickets MC-31414 were created

Issue Available: @sdzhepa, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[pipe-devnull]

Hi,

I have this issue migrating from 1.9.4.X to 2.3.4. I just found this issue while partway through a migration and now have thousands of accounts with passwords that will not work on the M2.3.4 site. Do you have a workaround?

[SamJUK]

We got the client to just get customers to reset their password until a offical mage fix, since its around 5% of the userbase affected.

If you wanted to implement a fix, although i haven't tried it, you could do something along the lines of modifying the isValidHash method of \Magento\Framework\Encryption\Encryptor. Where you chec the first 4 characters and if they match the start of a bcrypt password $2y$, if so try the password_verify function against it. Obviously test on a dev site and make sure you test through thoroughly before implementing in a live environment.

So something like

public function isValidHash($password, $hash)
{
    if (stripos($hash, '$2y$') === 0) {
        return password_verify($password, $hash);
    }
    ...
}

[pipe-devnull]

Thanks for your comment @SamJUK - I've just implemented almost the same patch myself in that class since posting my question:

if (stripos($hash, "$2Y$10") === 0 && function_exists('password_hash')) { return password_verify($password, $hash); }
It's important to us because a lot of those customers affected will be new/active customers.

[Fidelity88]

if (stripos($hash, "$2Y$10") > === 0 && function_exists('password_hash')) { return password_verify($password, $hash); }

Is it just me, or does the function password_hash and/or password_verify does not exist in Encryptor.php on Magento 2.3.3?

Edit: ah! password_hash is a native PHP function (which I think is only supported by PHP 7.2)

[SamJUK]

Both password_hash and password_verify should be available on Magento 2 since they are native PHP functions added in PHP 5.5 according to the PHP docs.

[victor-v-rad]

@SamJUK @Fidelity88 @pipe-devnull You can try to use this fix magento/data-migration-tool@3c7f83b clean cache and empty magento_root/generated directory. When customers login the tool will validate the password and rehash it in algorithm which Magento 2 understand.

[hostep]

Hi @sdzhepa or @victor-v-rad

What is the status over here?
Are there plans to put the solution from magento/data-migration-tool@3c7f83b into core Magento?
Because not everybody who migrates from an M1 to M2 database is using your data-migration-tool module 🙂

Thanks!

[victor-v-rad]

@hostep @SamJUK
It is recommended to use Data Migration Tool to fix this issue and it is the easiest way. You just need to install it into your Magento 2 and it will take care of BCRYPT passwords even if you migrated using some other tool. As an alternative you can upgrade your Magento 1 to 1.9.4.5/1.14.4.5. These versions has the fix as well. But you need to wait until all the customers relogin and their passwords get rehashed with SHA256 algorithm which is compatible with Magento 2 and then migrate. Also you can try to find similar solution in Magento Marketplace extensions.

[sdzhepa]

Thank you @victor-v-rad for the update and details
It seems Issue already resolved and we can close it

cc: @hostep