Password settings changed after Rebuild. Users unable to login

(Ted Strauss) #1

A colleague (@frak) upgraded their Discourse today. (I don’t know what the prev version was.)

Users are now all locked out, because it seems that the minimum password length setting changed during the upgrade, and user passwords are no longer being recognized.

Is this a known situation? Any known fix?

(Jay Pfaffman) #2

I don’t think that’s supposed to happen and that if it is, it’s a bug.

You might try changing the minimum password length site setting and/or tell people to do the forgot password procedure to set a new password.

Are there any plugins installed? have you tried safe-mode?

(Francois) #3

More details:

I installed the sitemap plugin, rebuilt the package, and found myself locked out. I just had an “Incorrect username, email or password” message.
I tried to reset my password and found out that it was asking me for a 15-char password, while my (admin) password had only 10 characters.
I don’t know which version was installed previously (installed after March 2017), but I guess either the default length of the passwords changed between the two versions (in this case, maybe newly locked-out users and admins should be noticed with a different error message), or some preferences where reset.

I changed the minimum password length to 8 for regular users and 10 for admins. I don’t know if these were the previous settings, but at least everybody can log in again (I hope).

(Jay Pfaffman) #4

This sounds like a legitimate bug, then. Perhaps @jomaxro can reproduce or ask the appropriate person to give it a look.

(Francois) #5

Well, the person who did the installed just told me he had modified the code to allow users from our old VBulletin to use their old passwords:

So no bug, but maybe a suggestion for improving the import of a VBulletin database to Discourse.

(Jay Pfaffman) #6

That’s a known limitation of that plugin. There’s really nothing to do other than tell people to not use too-short passwords, or passwords that appear on the 10,000 most common password list.

(Francois) #7

I cannot get this to work… Are there any guidelines somewhere on how to log in using passwords hashed with an old VBulletin?

(Francois) #8

Well, from what I understand, the issue is also the password hashing, not only the length.

(Jay Pfaffman) #9

I understood you to say that the migrated passwords were working until you upgraded and the password lengths were changed. The way that the plugin works, it won’t let users log in with passwords that Discourse does not approve of (for whatever reason). The only real solution is to tell people that if their password doesn’t work then they need to set a new one. See Cannot login to dev instance with imported user

(Richard - #10

I doubt that, we used this to migrate quite a lot of old VBulletin instances.

If I have some time tomorrow, I will add an extra option to the plugin ‘Allow insecure passwords’ which will not insist on re-storing the password. (Yes, I know there are objections against this, but hey, those users have been using that password for years already).

(Michael - #11

If this were caused by the migratepassword plugin, it would only affect the first time a user logged in into Discourse.

So if you have been using Discourse for a longer time and now suddenly no one(!) can log in, I don’t think this is caused by the plugin.

Edit: @pfaffman I just clicked through to the google doc - seems he isn’t even using the plugin, you jumped to conclusions when you edited the topic title :smiley:

(Jay Pfaffman) #12

Oh. Then I have no idea what this topic is about. I changed the title back. :slight_smile:

(Michael - #13

The topic is about “hacking the code” instead of using my great plugin which would have actually prevented all of this :sunglasses:

(Jay Pfaffman) #14

Your plugin is so great that when I’ve stuck in hashed passwords from forums it doesn’t even claim to support, it worked!

(Ted Strauss) #15

So what’s the status of the issue now?
Have you asked other users to try to login?

(Richard - #16

I have now made that change (although it will not help to resolve the issue in this topic at all :slight_smile: )

(Francois) #17

I’m trying to get people who didn’t change their passwords recently to try, but two claimed they cannot log in, but also that they are not 100% sure or their passwords… I can’t blame them, I also typically try 2 or 3 different passwords when I log in on a forum I rarely use.
I’ll wait for some more detailed feedback.

(Francois) #18

Was there a clean way to convert/use the old VBulletin passwords without editing the code?
That would help for future maintenance of this forum…

(Richard - #19

Yes, there is a plugin for that. All you need to do is make sure the encrypted password and salt are stored in a custom user field called import_pass

The plugin does support VBulletin 4 and 5 encryption methods, but I see that the official VBulletin 4 importer does not have any code for it (we used to have our own importer for it but we stopped maintaining that)

I’m a bit reluctant to make a pull request since I don’t have a VBulletin 4 database to test with, but It should not be hard. All you need is to add an extra column called password in the SQL query in import_users which contains the password and the salt separated by a colon,

CONCAT(password, ':', salt) AS password

and then add user["password"] to the struct that is passed to the base importer.

password: user["password"],

(Jay Pfaffman) #20

I’ve got a version of the vbulletin plugin with the password added (among other things) that Real Soon Now I’ll submit a PR for. Whether Real Soon Now is a week a month or more, I can’t promise.

But my query looks like this (you may not have IMPORT_AFTER defined in your version of the script), but you you should safely be able to delete that AND line:

    batches(BATCH_SIZE) do |offset|
      users = mysql_query(<<-SQL
          SELECT userid, username, homepage, usertitle, usergroupid, joindate, email,
                 password, salt
            FROM #{TABLE_PREFIX}user
           WHERE userid > #{last_user_id}
             AND lastactivity > UNIX_TIMESTAMP(STR_TO_DATE('#{IMPORT_AFTER}', '%Y-%m-%d'))
        ORDER BY userid
           LIMIT #{BATCH_SIZE}

and in the create_users block you’ll add a line like this:

      password: "#{user['password']}:#{user['salt']}",