Some passwords improperly being rejected as mismatch

Quick Information

Operating System: Verified on Windows and Docker
Install Type: Windows (not package, python3 main.py) / Docker

What Happened?

Certain passwords with some special characters set as user password verify incorrectly and display incorrect password when copied over correctly. The extracted hash from the database appears to validate to the previously entered password. Testing on my end indicates that this issue occurs on user password validation.

Known bad password

(-_l*1O/"K=GuelUzK>Nm*uq,/1j#^7]hje6]0_\DB'pv:?`fFC-

Issue resolves when removing the first * in position 5.

In testing, saved hash for this event:

$argon2id$v=19$m=65536,t=3,p=4$JQTF/3s9FIm1y3rEZ8V4DA$LPRK+95Cs1igifOhdwjetr+1yFM4wDurOZYQXsZ0Ko8

Password hash above correctly validates to the password, but this is rejected by Crafty.

When catching error, following information is given

Unexpected err=VerifyMismatchError('The password does not match the supplied hash'), type(err)=<class 'argon2.exceptions.VerifyMismatchError'>

Some indication of other passwords seeing the same issue, see below discord threads for more information.

Initially reported in:

Thanks to Autune and Drtyweasl

Expected result

User passwords should correctly handle special characters or passwords should be validated to be free from characters that can break Crafty's user authentication.

Steps to reproduce

Set user password to

(-_l*1O/"K=GuelUzK>Nm*uq,/1j#^7]hje6]0_\DB'pv:?`fFC-

Attempt to sign in using password, sign in should be rejected for bad password.

Remove first * and set as password, this will now work as expected.

Priority/Severity

High (anything that impacts the normal user flow or blocks app usage)
Medium (anything that negatively affects the user experience)
Low (anything else e.g., typos, missing icons/translations, layout/formatting issues, etc.)