Closed Bug 3029 Opened 26 years ago Closed 25 years ago

passwords broken for 1 out of 26 people

Categories

(Bugzilla :: Bugzilla-General, defect, P1)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla old

People

(Reporter: lchiang, Assigned: terry)

References

Details

I'm entering this for nbaca@netscape.com because she cannot access bugzilla.

Nbaca has tried (on different machines) to log into bugzilla.  Each time, the
login has failed.  She asked that bugzilla email her the password, which it did,
but still no luck in logging in (even w/ a copy and paste of the password from
the email!).

Can you reset nbaca's password to "netscape" so that she can log in and change
her password again?

Call nbaca at x6406 or email her to confirm since I'm entering this bug for her.

Thanks!
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Damn.  Damn damn damn damn damn.

I wish I knew what was causing this.  On rare occasion, something seems
to go through and wipe out the passwords for a few people.  Just a few.

Anyway, I apologize.  nbaca, the password that bugzilla mails to you should
now work.
Status: RESOLVED → VERIFIED
I am now able to enter Bugzilla. Thanks!
Blocks: 5843, 16233
Status: VERIFIED → REOPENED
I have encountered the bug while helping to manage the bugzilla installation
on www.e-speak.net.

The problem seems to be caused by a difference in the way that perl encrypts
passwords and the way that mysql encrypts them.  In bugzilla, the initial
passowrd is encrypted by MySQL and verified against a password encrypted
in perl.  The two encrypted passwords seem not to match in cases where the
encrypted password begins with two equal characters.  Brian Behlendorf pointed
out that the rate of occurance seems to be almost 1/26.

For example, you can find a list of all people who cannot log in by using
the following query:
select login_name
from profiles
where SUBSTRING(cryptpassword, 1, 1) =  SUBSTRING(cryptpassword, 2, 1);

The solution I used was to (1) do all encryption in perl and none in mysql;
and (2) put the perl password generation logic in a loop that generates
new salt until the first two characters of the encrypted password are not
equal.

jason!

======================================================================
Jason Robbins, Ph.D.      Collab.Net is hiring open source developers!
Senior Software Engineer                    http://www.collab.net/jobs
======================================================================
Hot damn!  Someone finally figured this out!  Thank you, thank you!

Do you have the patches you mentioned available?
Status: REOPENED → ASSIGNED
Priority: P2 → P1
Resolution: FIXED → ---
*** Bug 5843 has been marked as a duplicate of this bug. ***
*** Bug 16233 has been marked as a duplicate of this bug. ***
Status: ASSIGNED → RESOLVED
Closed: 26 years ago25 years ago
Resolution: --- → FIXED
OK, I have come up with my own patch and have checked it in.

My fix causes all encryption to happen in MySQL, not in perl.

Thanks again for figuring this out!
Verified
No longer blocks: 5843, 16233
Status: RESOLVED → VERIFIED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
QA Contact: matty
Target Milestone: --- → Bugzilla old
Version: other → unspecified
fixing summary so nobody accidently moves this to the mozilla.org product
Summary: Pls reset the password for nbaca@netscape.com. → passwords broken for 1 out of 26 people
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.