Magento 2 not supporting BCRYPT passwords introduced in SUPEE-11219

[SamJUK]

Preconditions (*)

1. Magento 2.3.4
2. Magento 1.9.3.9 (Patched with SUPEE-11219_CE_1939)

Steps to reproduce (*)

1. Create a user account on a Magento 1 store with SUPEE-11219 Applied
2. Migrate data to Magento 2 using data migration tool
3. Try to login with the user details

Expected result (*)

1. Customer who set their password after SUPEE-11219 was applied can log into account without reseting their password.

Actual result (*)

1. Customer gets an invalid password error.

Additional Information 2.4-develop

This case has been verified for current 2.4-develop and was confirmed here that issue still actual

Rechecked with:
Magento 1.9.3.9 and SUPEE-11219_CE_1939
Data Migration tool 2.3.4
Magento 2.4-develop

Actual Result:

After migrating, the customers appeared in Magento 2.4- develop Customers - All Customers grid
But Sign In to Storefront fails
The customer is still able to Sign In Magento 1.9.3.9 Storefront

[magento-deployment-service]

Thanks for opening this issue!

[m2-assistant]

Hi @SamJUK. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

@SamJUK do you confirm that you were able to reproduce the issue on vanilla Magento instance following steps to reproduce?

• yes
• no

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[m2-assistant]

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Add label Issue: Confirmed once verification is complete.

• 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Bravo]

@sdzhepa The issue is reproducible if migrate to Magento 2.4-develop

Rechecked with:
Magento 1.9.3.9 and SUPEE-11219_CE_1939
Data Migration tool 2.3.4
Magento 2.4-develop

Actual Result:

After migrating, the customers appeared in Magento 2.4- develop Customers - All Customers grid
But Sign In to Storefront fails
The customer is still able to Sign In Magento 1.9.3.9 Storefront

[magento-engcom-team]

✅ Confirmed by @sdzhepa
Thank you for verifying the issue. Based on the provided information internal tickets MC-31414 were created

Issue Available: @sdzhepa, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[pipe-devnull]

Hi,

I have this issue migrating from 1.9.4.X to 2.3.4. I just found this issue while partway through a migration and now have thousands of accounts with passwords that will not work on the M2.3.4 site. Do you have a workaround?

[SamJUK]

We got the client to just get customers to reset their password until a offical mage fix, since its around 5% of the userbase affected.

If you wanted to implement a fix, although i haven't tried it, you could do something along the lines of modifying the isValidHash method of \Magento\Framework\Encryption\Encryptor. Where you chec the first 4 characters and if they match the start of a bcrypt password $2y$, if so try the password_verify function against it. Obviously test on a dev site and make sure you test through thoroughly before implementing in a live environment.

So something like

public function isValidHash($password, $hash)
{
    if (stripos($hash, '$2y$') === 0) {
        return password_verify($password, $hash);
    }
    ...
}