My client forgot password to login to the backend of the website that was developed by other developer who refused to help. Therefore, I went to SQL database to see if I could retrieve the password directly from there but it seems that password is encrypted. See below
3a0606b25e75eb6c1fed61886844832e
it would be easier if I knew how the password was encrypted so that I could just encrypt new password and add to SQL but when I looked at the code (in password changing PHP gile) there is something called salt_pass that encrypts the password of this website. See below code :
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$db = new database();
$option_uw = array(
"table" => "users",
"fields" => "password",
"condition" => "id='{$_POST['id']}'"
);
$query_uw = $db->select($option_uw);
$rs_uw = $db->get($query_uw);
if ($rs_uw['password'] == trim(salt_pass($_POST['oldpassword']))) {
$value_pw = array(
"password" => trim(salt_pass($_POST['pass']))
);
$query_pw = $db->update("users", $value_pw, "id='{$_POST['id']}'");
if ($query_pw == TRUE) {
header("location:" . $baseUrl . "/back/user");
}
}else{
$_SESSION[_ss . 'msg_result'] = TRUE;
header("location:" . $baseUrl . "/back/user/changepassword");
}
mysql_close();
}
Here is the salt_pass function
function salt_pass($pass) {
return md5("supapongherb.com" . $pass);
}
Does anybody know how I can regenerate or encrypt the new password according to this code?
PS. the website is developed with MVC programming and I am really capable of it. Please let me know if you would like to see more file.
Thank you in advance!
Let's clear a few things up
but it seems that password is encrypted
First, your password is hashed, not encrypted. There is a difference. Namely that hashes are meant to be one-way. There's no way to look at a hash and just regenerate the password from that.
Second, they're using MD5. They're not actually salting anything, they're appending the same string to all passwords and THEN hashing it. MD5 is a terrible way to hash because it's stupid easy to break. This is the equivalent of securing your front door with a rubber band. It's not secure because you can make millions of guesses a minute. Yes it is that bad.
Third, with the function and the "salt" known, you can easy make a new password this way (via SQL because I'm not guessing what sort of screwy ORM they're using there)
UPDATE users
SET password = MD5(CONCAT('supapongherb.com', 'new_password_here'))
WHERE id = their_user_id_here
Fourth, switch to password_hash. Like now. Get rid of the rubber band and upgrade to a deadbolt, with rabid pitbulls behind it and a shotgun in your lap.
Related
What type of hash does WordPress use?
Here is an example of a WordPress hash:
$P$Bp.ZDNMM98mGNxCtHSkc1DqdRPXeoR.
The WordPress password hasher implements the Portable PHP password hashing framework, which is used in Content Management Systems like WordPress and Drupal.
They used to use MD5 in the older versions, but thankfully, no more. You can generate hashes using this encryption scheme at http://scriptserver.mainframe8.com/wordpress_password_hasher.php.
$hash_type$salt$password
If the hash does not use a salt, then there is no $ sign for that. The actual hash in your case is after the 2nd $
The reason for this is, so you can have many types of hashes with different salts and feeds that string into a function that knows how to match it with some other value.
For manually resetting the password in Wordpress DB, a simple MD5 hash is sufficient. (see reason below)
To prevent breaking backwards compatibility, MD5-hashed passwords stored in the database are still valid. When a user logs in with such a password, WordPress detects MD5 was used, rehashes the password using the more secure method, and stores the new hash in the database.
Source: http://eamann.com/tech/wordpress-password-hashing/
Update: this was an answer posted in 2014. I don't know if it still works for the latest version of WP since I don't work with WP anymore.
MD5 worked for me changing my database manually. See: Resetting Your Password
It depends at least on the version of PHP that is used. wp-includes/class-phpass.php contains all the answers.
I had same problem finding out what kind of Hash does Wordpress Uses .
It is wp hash password.
Example
Compare an already hashed password with its plain-text string:
<?php
$wp_hasher = new PasswordHash(8, TRUE);
$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password = 'test';
if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
echo "YES, Matched";
} else {
echo "No, Wrong Password";
}
?>
See These Links:
https://codex.wordpress.org/Function_Reference/wp_hash_password
https://developer.wordpress.org/reference/functions/wp_hash_password
It uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5.
The best way to do this is using WordPress class to authenticate users. Here is my solutions:
1. Include following WordPress PHP file:
include_once(dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . "wp-includes" . DIRECTORY_SEPARATOR . "class-phpass.php");
2. Create an object of PasswordHash class:
$wp_hasher = new PasswordHash(8, true);
3. call CheckPassword function to authenticate user:
$check = $wp_hasher->CheckPassword($password, $row['user_pass']);
4. check $check variable:
if($check) {
echo "password is correct";
} else {
echo "password is incorrect";
}
Please Note that: $password is the un-hashed password in clear text whereas $row['user_pass'] is the hashed password that you need to fetch from the database.
Start phpMyAdmin and access wp_users from your wordpress instance.
Edit record and select user_pass function to match MD5. Write the string that will be your new password in VALUE.
Click, GO.
Go to your wordpress website and enter your new password.
Back to phpMyAdmin you will see that WP changed the HASH to something like $P$B...
enjoy!
Wordpress uses MD5 Password hashing. Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5. MD5 is used by default because it's supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property.
include_once('../../../wp-config.php');
global $wpdb;
$password = wp_hash_password("your password");
By default wordpress uses MD5. You can upgrade it to blowfish or extended DES.
This question already has an answer here:
bcrypt and randomly generated salts
(1 answer)
Closed 8 years ago.
* A REAL WORKING ANSWER is at the bottom of this page! *
This is a question about using crypt () blowfish hash during login for customer verification. I am restricted to PHP 5.3 by my web host and I know it would be better to use PHP 5.5 with password hash () and password verify() but PHP 5.3 doesn’t seem to recognize them. The problem is not hashing the password and putting it in the database the available codes on line work for that. The problem is all the codes I found (about ten so far) don’t take into consideration that the randomized salt that is highly recommended for the registration page can’t be used on login passwords because it will be different every time with no match. Is what I am trying to do not possible on PHP 5.3 or is there a way to re-hash the users password using the salt it was randomized with so it can be checked against the one stored in the database?
Codes like this work well for randomizing the salt and hashing the password for the database entry.
function better_crypt($input, $rounds = 9)
{
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0; $i < 22; $i++) {
$salt .= $salt_chars[array_rand($salt_chars)];
}
return crypt($input, sprintf('$2a$%02d$', $rounds) . $salt);
}
$password_hash = better_crypt($input);
But login codes like this don’t work and the functions from the registration page must be redefined on the login page some how. They don’t carry over like session variables. I know I must be missing something… Does anyone have a code that will work for this funtion?
$password_hash = better_crypt($db_password_hash);
if (crypt($user_password, $password_hash) == $password_hash) {
echo '<br>';
echo 'true';
}else{
echo '<br>';
echo 'false';
}
Can’t add comment at bottom of page… I don’t have permission?
The “better crypt” function is for the registration page, it could be called something else. I don’t think it is used for the login page or the PHP include page, but this is what I am asking. Is there a login function or code that can use the original salt and how do I get it out of the hashed password in the database to check it and verify the user?
About the answer (bcrypt and randomly generated salts)
How do I extract the original randomized salt from the hashed password stored in the database or do I try to separate it first during registration and save it separately to use during login? I read this not the way it is suppose to work.
Hi martinstoeckli … The link to “compatibility pack “ goes to the PHP manual on “password_hash”, I don’t see any compatibility pack. The algorithm is set by blowfish and it stays the same for every hashed password. Using crypt by itself is weaker then blowfish, but even that dose not solve the login problem I am asking about. I tried that frist.
If anyone has a working login code to use with blowfish ($2a$) algorithm and using any cost value, please post it. It needs to extract the salt from the saved hashed database password to hash the user enter password during login for comparison. Somehow... Using a fixed salt is not recommended so the randomized salt during registration must be extracted somehow from the saved hash password.
Hi deceze,
I did check the duplicate but it had no login code to try. I will try to make a new code to test using this one line below… where $passwordToCheck is the login password and $2y$10$abcdefg... is the stored hashed password in the database. I will put it in an “if statement and echo if it is true or else false”. Get back to you with the results…Thanks
crypt($passwordToCheck, '$2y$10$abcdefg...')
deceze,
I tried this code below with the “,” and “==” both return true or “worked!” with any password input into the login. Please post the code you use for your login page so I can test or modify it to use on mine .
if
(crypt($user_password == $db_password_hash)){
echo '<br>';
echo ' Worked! ';
echo '<br>';
}
else
{
echo '<br>';
echo ' Did not work ): ';
echo '<br>';
}
Also I am using “$2y$11$” now for the algorithm and cost parameter on my registration page with database input like this “$2y$11$9MUd40QqfmmtPaes91OttOlvAhkAtMvS4.mtg9LT.tazythwhRMwu”
Would someone please remove the post that this question has been answered. This will just frustrate others trying to fine an answer to this problem as I have been for days now. Again if anyone does have a working code to answer this question please post it so this problem can get resolved for others STILL NEEDING A REAL WORKING ANSWER!
//////////////////////////////////////////////////////////////////////////////
EUREKA! “I found it” or at least learned how to write the code.
This is A REAL WORKING ANSWER! , The Blowfish login code I wish I had days ago, when I sill had hair!
The "$2y$" is better for PHP 5.3.7 or higher but I must use the "$2a$" algorithm for PHP 5.3 as explained below from http://php.net/manual/en/function.crypt.php.
Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix: PHP 5.3.7 introduced the new prefixes to fix a security weakness in the Blowfish implementation. Please refer to » this document for full details of the security fix, but to summarise, developers targeting only PHP 5.3.7 and later should use "$2y$" in preference to "$2a$".
<?php
// Blowfish login code to verify user login password with the hashed password in database
// Make variables from login form on another page and use “include()” to get this PHP code
$user_name_from_login = $_POST[ 'login_user_name' ];
$user_password_from_login = $_POST[ 'login_password' ];
//Check users name for match in your database table of user names
// You must use a line like this “include(‘your_conection_name.php');”
//at the top of your page to get the database connection code or add it directly to this page for this to work
$sql = "SELECT * FROM customers WHERE user_name=:login_user_name";
$query = $db->prepare( $sql );
$query->execute( array( ':login_user_name'=>$user_name_from_login ) );
$results = $query->fetchAll( PDO::FETCH_ASSOC );
//Get hashed password in database associated with user name and make it into a php variable
foreach( $results as $row ){
$database_password_hash = $row[ 'password' ];
}
//Using the Blowfish “$2a$” algorithm with a cost of “11$” and random salt form registration page
// this one line converts login password to the original saved hashed so it can be compared with the one saved in database
$user_password_rehashed = crypt($user_password_from_login, $database_password_hash);
//Now a simple comparison can be made and verified with an “if else” using the variables above
if
($user_password_rehashed == $database_password_hash) {
echo '<br>';
echo ' User’s login password “IS A MATCH” with the one in database (:';
echo '<br>';
}
else
{
echo '<br>';
echo ' User’s login password “DOES NOT MATCH” with the one in database ):';
echo '<br>';
}
//Check your output to better understand process
echo '<br>';
echo ' $user_password_from_login = ' . $user_password_from_login;
echo '<br>';
echo ' $user_password_rehashed --- = ' . $user_password_rehashed;
echo '<br>';
echo ' $database_password_hash --- = ' . $database_password_hash;
echo '<br>';
?>
I hope this will save time and money for other web designers…
I know it would be better to use PHP 5.5 with password hash () and password verify() but PHP 5.3 doesn’t seem to recognize them…
Use the password_compat library. It provides those functions for PHP 5.3.7 and later.
The problem with your better_crypt() function is that it generates a new random salt every time it is called, so the results can't be verified. To be compatible with crypt(), it would need to take a salt from another password hash as input.
But don't do that. Use password_compat.
I've been asked to enable SHA256 for storing wordpress passwords.
I've searched for plugins with no luck (not working), so I started to develop my own.
I first thoug.. well if I replace the wp_hash_password with my own function, It would encrypt when saving password and loging. But I wasn't that lucky. I'm able to run hash(sha256) though in a basic php file. I'm aware that users wont' be able to login as the stored key would be md5 and the comparation would be SHA, but it isn't a problem.
Code:
if(!function_exists('wp_hash_password')):
function wp_hash_password($password){
return hash('sha256', $password);
}
endif;
So I guess I'll have to make my own "check login" function.
Did someone did something like this?¿
Seems to me that your approach should work if you override the wp_check_password function as well. That'll have to be done in a plugin, I think, as the functions are loaded before the theme's functions.php. Something like this:
<?php
/*
Plugin Name: sh256pass
Version: 1.0
*/
if(!function_exists('wp_hash_password')):
function wp_hash_password($password){
return hash('sha256', $password);
}
endif;
if(!function_exists('wp_check_password')):
function wp_check_password($password, $hash, $user_id = '') {
// You might want to apply the check_password filter here
return wp_hash_password($password) == $hash;
}
endif;
Note that you'll either have to have your users reset their password on their next login (you won't be able to convert the existing passwords automatically), or you'll have to follow WordPress's approach in wp_check_password and compare the password to the old encrypted value (in their case md5), and if that matches, update to the new value.
Keep in mind that the wp_users.user_pass field is only 64 characters long. While that's (just) long enough to store the sha256 value, it isn't long enough to store the sha256 value and a salt. If you don't salt, and two users choose the same password, the wp_users.user_pass field will contain the same value, making it obvious to anyone with access to the database that the passwords are the same. My gut feel is that that is a greater security risk than using the current algorithm. You might be able to get around that by (say) concatenating the user ID and the password before hashing, but there might be edge cases where you don't know the user ID (such as when a user is created).
Personally, I'd question the requirement.
I'm trying to create a custom registration component for TYPO3 on an external website where TYPO3 is not installed (i just use its database). Problem is i have no experience using TYPO3. I was wondering if anyone knew how to create the correct password encryption for TYPO3? The passwords looks like this :
$P$CeO/XYcbzRH9nLpCwKdp1HhsJGwJum0
I am looking for a php code to create that same encryption and check the password. I have the encrytion key from the install tools which (i believe) is used for the salting.
Or is there a possibility to save passwords as MD5 only? Not the best option but i could be the only one left.
I have found this url:
http://srv123.typo3.org/TYPO3/Extensions/saltedpasswords/4.6/#compatibility-of-other-extensions-with-salted-user-password-hashes
But i have no clue how to implement that in my own script.
Works on typo3 6.X:
$password = 'XXX'; // plain-text password
$saltedPassword = '';
if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')) {
if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$saltedPassword = $objSalt->getHashedPassword($password);
}
}
}
Have a look at the developer guide:
1.5.1 Creating a new salted user password hash from a given plain-text password
You have to use it in the typo3-Frontend:
$password = 'XXX'; // plain-text password
$saltedPassword = '';
if (t3lib_extMgm::isLoaded('saltedpasswords')) {
if (tx_saltedpasswords_div::isUsageEnabled('FE')) {
$objSalt = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$saltedPassword = $objSalt->getHashedPassword($password);
}
}
}
But, you should never try to generate salted password outside of typo3 because the encryption depends on your typo3 settings.
By looking at the hash provided I suppose the saltedpasswords extension (responsible for storing salted hashes in the database) in TYPO3 is set to use phpass. You should therefore be able to take this class and use it in your script to create/check passwords the same way as TYPO3 does.
Or is there a possibility to save passwords as MD5 only?
Yes, using salted passwords in TYPO3 is optional and not mandatory. However, if any TYPO3 installation in future would be supposed to use that database, I'm not sure how TYPO3 would handle the mixture of records when some of them would have passwords stored as unsalted hashes and some as salted. My guess is, that it would handle it gracefully, recognising which check to use for each hash.
I have a php function in a php page called encrypt_password that I use when processing a registration form:
function encrypt_password($password){
$salt = sha1(md5($password));
$password = md5($password.$salt);
return $password;
}
I try to use it again for when I process the login form but I get a different result.
I get the correct result just by not calling this function and instead just calling:
$salt = sha1(md5($password));
$password = md5($password.$salt);
directly on my process_login page. Why would I get a different result by calling encrypt_password?
I hope I have explained this clearly enough!
Thanks!
I simply cannot believe this to be true. You say you have two pages, one with a registration form and one with a login form.
They both have to encrypt the password the user has posted.
There can be a number of things wrong here, depending on how you find they don't match. Do you just try to login and see an error that your password is wrong? Or did you echo the password hash after a call to encrypt_password? It would be nice to have done that to shown us a hash of the password 'test', from both the registration page and the login page. Perhaps someone could've seen a pattern.
Anyway, let me guess:
You enter the password incorrectly.
You have created this user you're testing it with, with an older version of your encryption function. Perhaps you only used md5(password) to register, then you read somewhere that was unsafe and added a salt. Now you're comparing two different hashes for the same password, since the password is stored in the database using the old hashing function.
You set $password with $password = $_POST['password']; I guess. On both pages, I guess too. Are those statements on both pages typo-free? No $password = $_POST['pasword']; there? And are both <input> elements named "password"?
Typos also go for the $encrypt_password function. Do you define it on both pages, or do you include it from another file? (You should!) If they exist in both files, do they match letter by letter? Copypaste it to test this, and if it works, thank me and put it in an include afterwards, and let it be a lesson.
i faced the same problem .
check the length of password field in db the value after hashed is increased the limit you specified in the db
Yep, I checked the code and theres is no error. This is my code without any flaws:
function encrypt_password($password){
$salt = sha1(md5($password));
$password = md5($password.$salt);
return $password;
}
$myPassword = "test";
echo encrypt_password($myPassword );
// this gives me 34364c859afb02e70306c905374ac2d5
$salt = sha1(md5($myPassword));
$password = md5($myPassword.$salt);
echo "<br />";
echo $password;
//this gives me 34364c859afb02e70306c905374ac2d5
So, they are the same. Like Dimme, I thought the same about variable names. But I could not replicate this. Sorry...