When passwords are salted with this module the default registration email, or any customized email that includes the "!password" placeholder, will include the password salt value. This exposes the salt and gives the user the wrong login password.
This happens because password salting is done by modifying the submitted form value. It should be done when passwords are read from or written to the database, but there is no obvious hook on those functions.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | salt_fix_exposed_salt.diff | 2.26 KB | HGS |
Comments
Comment #1
sheket commentedIt's been a few months...Any updates on this issue? This is a fairly large problem, because it breaks normal password email functionality, and exposes the salt, making it easier for an attacker to generate a hash table of password values.
Comment #2
HGS commentedWe had similar problems with our email registration. I've added an implementation of the hook_user hook and used that to update the password.
Comment #3
Zen commentedMarking this as a dupe of #327220: Autogenerated password not salted
Personally, I recommend against including the auto-generated password in the welcome e-mail at all and just relying on the login link. Salting generated passwords without a core patch is, afaik, only possible with a mail_alter. If you have a better approach, please reopen the linked issue.
Thanks,
-K