New user password not hashed

Hi Mark,

Can you explain step by step how to reproduce this issue ?

Thanks,

Your solution works great!

I had the same issue, I was having issues when any user reseted their password, after looking to the information with Devel I notice that the password was plain text (so a "123" password was stored as "123")

Thanks for the solution.

Yes, great improvement to the overall User experience - should be in Drupal Core! For the Drupal sites I manage, the single most common support request we get form users is related to confusion they have with the password reset process and this just makes much more sense.

I also had the same issue with password's not getting hashed - but interestingly, only on the live site server (using Nginx and PHP 5.6.4-1) whereas on my local dev environment (using Apache on Mac with PHP 5.5.14) with all the same code and same DB, it works fine.

When I added the $account->pass = user_hash_password($account->pass); line from mxwitkowski's original post to the live site then it worked fine. Also worked fine on the dev site (ie it didn't disrupt it already working).

Anyone got a clue as to why it doesn't work in some cases?

Just experienced this on an Acquia server, whereas was fine on my local vagrant box :/

Find attached a patch.

Just found this issue. I think it is Critical, because passwords should never go unhashed into the database.

Tested the patch: works like a charm.

I'd agree with that!

The issue isn't that the new password isn't being hashed. It's that some module or another on your site is writing to the database on hook_user_login() as far as I can tell. By the time the code this patch is concerned with is invoked, the core submit handlers for this form have been invoked and saved the new hashed password. But somehow the user profile data is being re-saved, and because this module's submit handler sets the currently logged in user using outdated data from the $form_state, the global user account object has the unhashed password in it.

All that to say, the solution is to imitate user_login_submit() and load the user object afresh. There may be other unknown changes in it anyways. See the attached patch if you're curious what it looks like. I think the PHP difference some people pointed out was irrelevant (I tested in both PHP 5.5 and 5.6 and had hashed passwords) and suspect there's something else different between your site's environments that caused the unhashed password to be saved after the hashed one was.

Committed.

(Since this module itself wasn't saving the unhashed password, I demoted it to Major.)

Will give latest dev a go, thanks for this. Do you have a sense when you'll next do a stable release?

Just rolled it! Waiting on d.o to package it up now. : )

It's up now. : )

Thanks @rszrama for the update - just updated to 7.x-1.5 and works fine now in both of the environments I'm using (Apache and Nginx) - passwords properly hashed.

W00t w00t, that's what I like to hear. : D

Excellent! Thanks again :)

Thanks for the module, and for the report and the fix.

I know this is old. However, not everyone applies non-security updates, so I suggesting marking a fixed update as a security update.

The risk is that one leaves the update and ends up with many hundreds of user name + email + plain text password sets in the users table, which is a real security risk. I have seen that happen.