Bug with md5 hashed security answers

When working with the recover password task in IdM we came across a bizarre bug with the security questions/answers used to authenticate a user so that they may change their password.

When a user sets up their security questions and answers, if they happen to use an uppercase letter in at least one of their answers, and if you’ve chosen to store the security answers as an MD5 hash in the identity store, your user will not be able to recover their password. Why? Because the php page for the “Recover Password” task has a line of code that goes ahead and impulsively converts your security answers to lowercase. This results in your answers never being able to match your security answers that were originally hashed with all uppercase letters intact.

This buggy line of code exists in the “changepassword.php” file of the workflow interface, on line 717:

$md5Value = md5(strtolower($outputArray[$key]));

removing the “strtolower” function from the above line of code makes it look like this:

$md5Value = md5($outputArray[$key]);

And, that should fix the bug. It’s quite a strange error and if you’re not aware of where it stems from you could waste many hours looking in the wrong place.