login on 2.5.RC1 causes other WP installs (2.3.3) to not accept password

  • Resolved Jeff Sherk

    (@jsherk)


    16 years, 8 months ago

    I have 5 production installs of WP 2.3.3 on my host, and have installed v2.5.RC1 in my sandbox on the same host. They all share a common user table for the user names and passwords.

    I can no longer log into my 2.3.3 blogs using any user that has logged into 2.5.rc1… it gives a password incorrect error. And there has been no changes to the database or usernames or passwords.

    I have to physically go into the database and change the md5 password to something else in order to able to log back into the 2.3.3 blogs. It will then work fine again, until I use that username to login to the 2.5.rc1 blog, and then it no longer works again on the 2.3.3 blogs.

    Is there a ‘bug traker’ where I should report this issue, instead of in this forum?

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Jeff Sherk

    (@jsherk)

    Just as addition to this…

    I noticed that the problem occurs because when I log into 2.5.rc1 it actually CHANGES the password in the database!!!

    Why is 2.5.rc1 changing the passwords in the user database??? Is it a different encodning than md5? It has no problem recognizing the original md5 password, but still changes it???

    From what I understand, it has something to do with the added ‘salt’ protection. I’m left to suspect that if there is no salt, it will use the existing password, but once RC1 touches it, the salt changes the hash and a new md5 is made?

    This is just a 100% guess, so don’t quote me here…

    Oh, is that what’s happening? I noticed that too, but I was using a WP.com hosted blog before last week. When I finally got my WP 2.5 installed, I noticed that I was locked out of my WP.com site until I used my new password. The only problem is that now I’m also not recognized on OpenID via WP.

    Thread Starter Jeff Sherk

    (@jsherk)

    Apparently this is supposed to happen… they have changed the security for passwords, so it changes/upgrades the passwords to a new one.

    BUT… somebody has already written a plugin that works around this problem (well I guess it’s not a problem for everybody):

    Read about it here:
    https://boren.nu/archives/2008/03/27/md5-password-hashes-for-25/

    Thread Starter Jeff Sherk

    (@jsherk)

    Here is the download link from the WordPress site:
    https://www.ads-software.com/extend/plugins/md5-password-hashes/

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘login on 2.5.RC1 causes other WP installs (2.3.3) to not accept password’ is closed to new replies.