Re: [sqwebmail] Same Password, Different Hashes With Different Browsers?

[Sam V. <mr...@co...>]

Sabahattin Gucukoglu writes:

> Hi all,
>
> I am running into a very weird issue that causes intermittent authentication  
> failures and I’m wondering if anybody knows what the root cause might be.   
> It seems to be linked to web browser, and only appears to affect complicated  
> passwords with symbols in them; plain alphabetic passwords are fine.
>
> Somehow, the crypted (“$1…”) passwords stored in a MySQL database  
> (Postfixadmin+Postfix+Dovecot+SQWebmail) are mutually unacceptable to  
> different browsers for a particular user’s password.  In other words, when  
> I’m using Safari or iOS, I can use authtest to verify and change the  
> passwords, whereas while the user of the account with Firefox or IE on  
> Windows 7 is using that account, I can no longer use authtest (or Safari) to  
> confirm or change the password.  And when I turn on debugging, sure enough,  
> the plain text of the secret is identical.
>
> The clue that something really weird is going on is to be found in the  
> logs.  If I run “authtest user” or log in at SQWebmail using Safari, the  
> password hash that is revealed by authdaemond in syslog is identical to the  
> one that appears in the authtest output.  But if the user has control of the  
> account, and changes the password, I can no longer log in with the new  
> password, while the user can (and vice-versa), and authdaemond reports what  
> appears to be an *identical* plain text secret, with a different hash,  
> successfully authenticated.

These are salted passwords. You can change the password twice, to the same  
password, and each hash will be different. But that doesn't really fully  
address what you claim is happening.

> A sample password on the template of the affected password: ABCD!@$@! or  
> ABCD!@#@!

The only thing I could think might be happening would involve passwords that  
use non-Latin characters; however that's not the case here. No idea.