[interchange] Enable case-insensitivity in UserDB for unencrypted passwords.

Dan Browning interchange-cvs at icdevgroup.org
Sat Apr 2 06:39:20 UTC 2011


commit 46ecfa0dbf49a134564650c01c7005804aa0a9bf
Author: Daniel Browning <db at kavod.com>
Date:   Fri Apr 1 21:30:59 2011 -0700

    Enable case-insensitivity in UserDB for unencrypted passwords.
    
    This patch makes ignore_case function correctly on unencrypted passwords
    even when mixed-case passwords exist in the UserDB table.
    
    Currently, ignore_case only works if the stored passwords are lower case.
    There are at least two ways for mixed-case passwords to make it into the
    UserDB table:
    
     * If some user records were created with UserDB before ignore_case was set.
       (In this case, newer accounts get the expected behavior while older ones
       don't -- a recipe for "fun".)
    
     * If the password column is populated by more than just UserDB, such as
       through custom IC code or integration with other software.
    
    Case-insensitivity is a nice convenience; both for users who tend not to
    notice when caps lock has been toggled, and for help desk workers who field
    their calls. The cost is that it reduces the effective number of ASCII
    password characters by about one quarter. While it's true that it makes it
    ever so slightly easier to crack passwords, other factors (e.g. password
    length, use of dictionary words) far outweigh its importance.
    
    One alternative to this patch would be to change all current and future
    passwords in the UserDB table to lower case, then the existing ignore_case
    would suffice to provide case-insensitive functionality. One downside of
    that approach would be that it's irreversible, whereas this patch allows
    switching back and forth by simply changing the ignore_case configuration.
    
    This feature is enabled under the following example configuration:
    
    UserDB    default    crypt         0
    UserDB    default    ignore_case   1

 lib/Vend/UserDB.pm |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index cb190b5..689148b 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1514,6 +1514,9 @@ sub login {
 			if ($self->{CRYPT}) {
 				$self->{PASSWORD} = $self->do_crypt($pw, $db_pass);
 			}
+			else {
+				$db_pass = lc $db_pass if $self->{OPTIONS}{ignore_case};
+			}
 			unless ($self->{PASSWORD} eq $db_pass) {
 				$self->log_either(errmsg("Denied attempted login by user '%s' with incorrect password",
 					$self->{USERNAME}));



More information about the interchange-cvs mailing list