In - INP-1122Getting issue details... STATUS task the password storage was changed from MD5 into BCRYPT. As part of upgrade process existing user password hashes (MD5) were BCRYPTED. This way 3 password storage classes exist:
- MD5 - only if for some reason they're not upgraded into MD5+BCRYPT
- MD5+BCRYPT - only exists for users existed prior to upgrade (will be transformed into BCRYPT upon next login)
- BCRYPT - new default
Above implementation has bug, that upon user password change attempt will:
- stores password in BCRYPT format
- report password to be stored in MD5+BCRYPT format
Due this fact user won't be able to login after his password is changed. Even "Forgot Password" functionality won't help.
When changing password for upgraded users (that have MD5+BCRYPT password storage) check based on password content if it's provided in plain text or MD5 hash format.