Bug with md5 hashed security answers

When working with the recover password task in IdM we came across a bizarre bug with the security questions/answers used to authenticate a user so that they may change their password.

When a user sets up their security questions and answers, if they happen to use an uppercase letter in at least one of their answers, and if you’ve chosen to store the security answers as an MD5 hash in the identity store, your user will not be able to recover their password. Why? Because the php page for the “Recover Password” task has a line of code that goes ahead and impulsively converts your security answers to lowercase. This results in your answers never being able to match your security answers that were originally hashed with all uppercase letters intact.

This buggy line of code exists in the “changepassword.php” file of the workflow interface, on line 717:

$md5Value = md5(strtolower($outputArray[$key]));

removing the “strtolower” function from the above line of code makes it look like this:

$md5Value = md5($outputArray[$key]);

And, that should fix the bug. It’s quite a strange error and if you’re not aware of where it stems from you could waste many hours looking in the wrong place.

2 thoughts on “Bug with md5 hashed security answers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.