Original issue 36 created by ZetaMUCK on 2014-10-18T10:49:04.000Z:
db_hash_compare() treats the hash as a null-terminated string, but db_hash_password() not exclude null bytes when generating random character bytes for a new password salt.
2130| if (!saltin || !*saltin) {
2131| for (i = 0; i < 8; i++)
2132| salt[i] = (unsigned char) (RANDOM() & 0xFF) + 1;
2133| salt[8] = '\0';
On databases where password hashing has been enabled, this will randomly result in an assigned password being unmatchable by check_password(), creating an inadvertent account lockout.
blightbow
commented
9 years ago
Original issue 36 created by ZetaMUCK on 2014-10-18T10:49:04.000Z:
db_hash_compare() treats the hash as a null-terminated string, but db_hash_password() not exclude null bytes when generating random character bytes for a new password salt.
On databases where password hashing has been enabled, this will randomly result in an assigned password being unmatchable by
check_password(), creating an inadvertent account lockout.