Unrecognized Drupal login with latest phpass

2011-08-30 00:00:00 +0100

After recent upgrade of phpass module on Drupal 6 I’ve experienced an unpleasant surprise — my login and password stopped to work. Here’s how this can be solved. Recent versions of phpass module for Drupal 6 backport a stronger password hashing algorithm from Drupal 7. It’s a module that is strongly recommended for every production website, as default algorithm from version 6 is insufficient against nowadays password cracking attacks.

The change introduced with new hashing algorithm require that the pass field in database is widened from its old length (32 bytes) to 64 bytes, enough to store new hash. In my case this hasn’t happened (not sure why), which left my Drupal with new hash being stored in a short field. The truncated hash was obviously not recognized by the password checking function. I was still able to login using lost password recovery function, but after logging out again my password was not accepted. That’s obvious, as it was repeatedly written to a database field that was too short.

The solution is to go to the database (using PhpMyAdmin or other tool for database manipulation) and change the field length to 64 bytes. Then you need to login once again using lost password recovery, reset your password for last time and everything should work again.