How is the user password encrypted? wp_hash_password

  • Resolved mediabros

    (@mediabros)


    14 years, 2 months ago

    I seems that wordpress encrypt the password of the user in a MD5 custom way. As you can see in the code below i am trying to compare the password out of the database with the one the user entered.

    I encrypting the posted password with md5 and wp_hash_password();
    note that one each refresh or another formpost the posted md5 and wp_hash_password(); gets a random output.

    My problem is now that i can’t compare the passes. Anyone got a idea?

    <?php 

include_once($_SERVER['DOCUMENT_ROOT'].'/wp-config.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-load.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-includes/wp-db.php');

global $userdata;
global $wpdb; 

//get the posted values

$posted_username = $_POST['username'];
$posted_password = $_POST['password'];

$user_name = htmlspecialchars($posted_username,ENT_QUOTES);

$pass_word = wp_hash_password($posted_password);

$pass_md5 = md5($posted_password);

$pass = $pass_word;

$userinfo = get_userdatabylogin($user_name);

if ( $pass == $userinfo->user_pass){

		echo "yes";

	} else 

		echo "no<br />:";

echo $pass;
echo '<br />:';
echo $userinfo->user_pass;
echo '<br />:';
echo $userinfo->ID;
echo '<br />:';
echo $userinfo->user_login;
echo '<br />:';
echo $pass_md5;
echo '<br />:';
echo wp_hash_password('mypassword');

?>

    Returns the following values

    no
:$P$BJhGR7TPd771cFb6UFVSknys.MDjBw.
:$P$B7g6c9b3YavlDCT41/1wNWxUqN5E4q1
:1
:myusername
:8684854737c96012f1b6640fa1edf69d
:$P$B0T9SE3Cnd3NM2iEPFJ.SxwqSCBFR8/

    The random values on a refresh/rePOST

    no
:$P$Bhjs6fejE8OOb2P.jEFa3VbD0BLpb40
:$P$B7g6c9b3YavlDCT41/1wNWxUqN5E4q1
:1
:myusername
:8684854737c96012f1b6640fa1edf69d
:$P$BtWdkKKaw5DyXQmZ12CkX5ljyvZDv80

Viewing 4 replies - 1 through 4 (of 4 total)

  • WordPress uses the phpass library to do encryption. Although it can use md5 encryption, it’s iterated for password stretching and it’s stored somewhat differently that’s why you see the $P$ prefix which is phpass’ identifier for the encryption used.

    I’m not quite sure what you are trying to achieve, maybe login integration to WordPress from else where. In which case, you should simply compare the result from wp_hash_password (I haven’t tried it and assume this is the correct function in WP) to what is stored on the database.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Try something more like this:

    include '/wp-includes/class-phpass.php');
$hash = $user->user_pass;
$wp_hasher = new PasswordHash(8, TRUE);
$check = $wp_hasher->CheckPassword($password, $hash);

    If $check is true, they match.

    BTW, the reason you can’t generate the same hash twice is because of the use of a salt. Salting the password when hashing makes the hash harder to hack using dictionary attacks. This is why generating the hash again and comparing won’t work. The hash isn’t the same every single time. The check function takes part of the hash (the salt) and the password and recomputes the hash with that salt, thus allowing it to check properly.

    I’ll recommend that to be forward compatible, use the wordpress wrapper functions instead of directly accessing the phpass function. We never know if WP devs or the site owner decide to change the hash parameters or add a new hasher option.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    True. You can use the wp_check_password() function, it’s just a wrapper around this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How is the user password encrypted? wp_hash_password’ is closed to new replies.