An A-type hash is an unsalted hash. A B-type hash is a salted hash of
the form md5(salt "-" md5(password)). So it's not correct to have an
A-type hash with a salt. User::comparePasswords() and
CentralAuthUser::getPasswordFromString() already get this right, they
generate :B: prefixes for legacy salted hashes where the salt is not
specified in the database.
Change-Id: Icb809274f9f63641e54daf98332a5646fd58b550
// The old hash format was just an md5 hex hash, with no type information
if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
if ( $this->config->get( 'PasswordSalt' ) ) {
- $row->user_password = ":A:{$row->user_id}:{$row->user_password}";
+ $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
} else {
$row->user_password = ":A:{$row->user_password}";
}
}
public function crypt( $plaintext ) {
- global $wgPasswordSalt;
-
- if ( $wgPasswordSalt && count( $this->args ) === 1 ) {
- $this->hash = md5( $this->args[0] . '-' . md5( $plaintext ) );
- } else {
- $this->args = [];
- $this->hash = md5( $plaintext );
- }
+ $this->args = [];
+ $this->hash = md5( $plaintext );
if ( !is_string( $this->hash ) || strlen( $this->hash ) < 32 ) {
throw new PasswordError( 'Error when hashing password.' );