URGENT PROBLEM Password unlocks even without complete solution

  • This is a huge flaw. I have a 40 character password (this is for a puzzle game.) As long as people submit a partially correct password, it unlocks. WHY?

Viewing 8 replies - 1 through 8 (of 8 total)

  • Hi, comalloy.

    Look here first: https://www.ads-software.com/support/topic/first-8-characters-of-password-allow-access-to-restricted-content/

    Thread Starter comalloy

    (@comalloy)

    I updated to Blowfish, but you still don’t have to have the complete password to access.

    Are you saving the password hashes? You’ll need to clear out the transients as well, as your password needs to be rehashed.

    Did clearing out the transients work for you?

    I am having the exact same issue. I have cleared out transients and not sure how to go about rehashing the passwords.

    If you’re saving the hashes as transients, they’ll rehash automatically over time as your visitors visit pages/posts with Content Protector forms. Hopefully, you first followed the link above where it’s explained that the Standard DES algorithm only looks at the first 8 (eight) characters in generating a hash. That is, any two strings that share the first 8 characters in common – regardless of their actual lengths – will hash the same way in Standard DES and can unlock your content if your password also starts with those characters. This is a limitation of the Standard DES algorithm itself.

    I have already changed the encryption to Blowfish and it is still only passing with the eight characters.

    And you did uncheck Store Encrypted Passwords under the General tab? If so, and keeping it unchecked doesn’t change anything, there may be some caching occurring on your host.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘URGENT PROBLEM Password unlocks even without complete solution’ is closed to new replies.