Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explain about the old password hash wipe in "invalid password" message #47

Closed
ato opened this issue May 13, 2012 · 3 comments
Closed

Explain about the old password hash wipe in "invalid password" message #47

ato opened this issue May 13, 2012 · 3 comments
Labels
bug

Comments

@ato
Copy link
Collaborator

ato commented May 13, 2012

There's no indication on the website that the old salted SHA1 password hashes have been wiped. So users who don't rigorously read the Clojure mailing list, disclojure, twitter etc aren't aware of it. This is causing confusion: someone emailed me asking if logins to the site were broken globally.

When displaying "invalid password" we should link to an explanation like Phil's mailing list announcement and suggest using the "forgot password" feature.

https://groups.google.com/group/clojure/browse_thread/thread/5e0d48d2b82df39b
@technomancy
Copy link
Collaborator

Good point. I'll see if I can add this some time next week.

@ato ato reopened this May 31, 2012
@ato
Copy link
Collaborator Author

ato commented May 31, 2012

Something's still funny with the password wipe. A user reported getting a 500 error when trying to login. The logs show:

2012-05-30 23:57:58.245:WARN::/login
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
        at java.lang.String.charAt(String.java:694)
        at org.mindrot.jbcrypt.BCrypt.hashpw(BCrypt.java:663)
        at org.mindrot.jbcrypt.BCrypt.checkpw(BCrypt.java:763)
        at cemerick.friend.credentials$bcrypt_credential_fn.invoke(credentials.clj:24)
        at clojure.lang.AFn.applyToHelper(AFn.java:163)
        at clojure.lang.AFn.applyTo(AFn.java:151)
        at clojure.core$apply.invoke(core.clj:603)
        at clojure.core$partial$fn__4070.doInvoke(core.clj:2343)
        at clojure.lang.RestFn.invoke(RestFn.java:408)
        at cemerick.friend.workflows$interactive_form$fn__1744.invoke(workflows.clj:74)
        at cemerick.friend$authenticate_STAR_$fn__1329.invoke(friend.clj:143)
        at clojure.core$map$fn__4087.invoke(core.clj:2432)
        at clojure.lang.LazySeq.sval(LazySeq.java:42)
        at clojure.lang.LazySeq.seq(LazySeq.java:60)
        at clojure.lang.RT.seq(RT.java:473)
        at clojure.core$seq.invoke(core.clj:133)
        at clojure.core$filter$fn__4106.invoke(core.clj:2470)
        at clojure.lang.LazySeq.sval(LazySeq.java:42)
        at clojure.lang.LazySeq.seq(LazySeq.java:60)
        at clojure.lang.LazySeq.first(LazySeq.java:82)
        at clojure.lang.RT.first(RT.java:566)
        at clojure.core$first.invoke(core.clj:55)
        at cemerick.friend$authenticate_STAR_.invoke(friend.clj:143)
        at cemerick.friend$authenticate$fn__1338.invoke(friend.clj:175)
        at ring.middleware.resource$wrap_resource$fn__2406.invoke(resource.clj:14)
        at ring.middleware.file_info$wrap_file_info$fn__1672.invoke(file_info.clj:40)
        at ring.middleware.keyword_params$wrap_keyword_params$fn__2455.invoke(keyword_params.clj:27)
        at ring.middleware.nested_params$wrap_nested_params$fn__2492.invoke(nested_params.clj:65)
        at ring.middleware.params$wrap_params$fn__2429.invoke(params.clj:76)
        at ring.middleware.multipart_params$wrap_multipart_params$fn__2518.invoke(multipart_params.clj:103)
        at ring.middleware.flash$wrap_flash$fn__2681.invoke(flash.clj:14)
        at ring.middleware.session$wrap_session$fn__2674.invoke(session.clj:40)
        at ring.middleware.cookies$wrap_cookies$fn__2611.invoke(cookies.clj:150)
        at compojure.core$routing$fn__1624.invoke(core.clj:98)
        at clojure.core$some.invoke(core.clj:2390)
        at compojure.core$routing.doInvoke(core.clj:98)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invoke(core.clj:603)
        at compojure.core$routes$fn__1628.invoke(core.clj:103)
        at ring.adapter.jetty$proxy_handler$fn__1182.invoke(jetty.clj:16)

Their password field is empty in the database, but the salt is not.

@xeqi xeqi closed this as completed in fdb69e7 Jun 1, 2012
@xeqi
Copy link
Collaborator

xeqi commented Jun 1, 2012

Fixed. Might have been introduced by my usage of friend.

swr1bm86 pushed a commit to swr1bm86/clojars-web that referenced this issue Oct 3, 2015
@technomancy
On login failure, mention that the password hashes were wiped. Fixes c…
3653e70 
…lojars#47.
swr1bm86 pushed a commit to swr1bm86/clojars-web that referenced this issue Oct 3, 2015
@xeqi
Users with wiped password see login failure and password wipe msg
0b178f5 
Check for empty password before passing to bcrypt.
Otherwise when a user logs in and has a wiped password
bcrypt will die.  Fixes clojars#47
@danielcompton danielcompton mentioned this issue Aug 21, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@technomancy @ato @xeqi