I tried to reset password of wordpress admin panel.
I type some password and select function MD5.
It shows exact md5 conversion of the given string.
After log-in in admin panel of wordpress, if we browse the table it converts the password in some other string.
Can any one guide me about the password technique ?
Thanks
Quoting from the Wordpress docs
Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5. MD5 is used by default because it's supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property (see examples).
It uses the wp_hash_password function.
function wp_hash_password($password) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
require_once( ABSPATH . WPINC . '/class-phpass.php');
// By default, use the portable hash from phpass
$wp_hasher = new PasswordHash(8, true);
}
return $wp_hasher->HashPassword( trim( $password ) );
}
The source coude of the "class-phpass.php" file can be found on the site: https://core.trac.wordpress.org/browser/tags/4.3.1/src/wp-includes/class-phpass.php
Related
I have set the encryption key in config.php file
$config['encryption_key'] = 'az2x#_.#!`~$aezxqy+=#%^&';
I want to use this key in password when registering users into the website, right now i am using this method
'password' => hash('sha256', $password . 'az2x#_.#!`~$aezxqy+=#%^&')
Is there any way i can set the above code like
'password' => hash('sha256', $password . $config['encryption_key']),
when i do it gives error of undefined $config variable.
I strongly suggest using the built-in php API for password salt/hash and not the method you are using, the encryption key is meant to be used for the encryption class...
$passwordHash = password_hash($password, PASSWORD_BCRYPT);
You use this salted and hashed password stored in the database.
Then verify it when getting it from the DB using:
password_verify($password, $result->password)
This returns a BOOLEAN so you use it in an if statement:
if ( password_verify($password, $result->password) ) {
// do login stuff
} else {
// handle login failure
}
Else, you can use the encryption key by the following (strongly suggest against it):
$this->config->item('encryption_key');
If this doesn't work you are probably writing a helper or something, so you'll need to call the CI instance to get access to the config array.
I am trying to test the password_hash method for this purpose i have created the following function hashPassword:
function hashPassword($string) {
$settings = array('cost' => 10, 'encryption_key' => 'thisIsMyEncryptionKey1234');
return password_hash($string, PASSWORD_BCRYPT, $settings);
}
Now if i test this with a random string like "test"
The result would be:
$2y$10$thisIsMyEncryptionKeyu5n3NNnKh3DjgJqgb5pE8YOLBclKrVWC
Or if i test it with helloworld:
$2y$10$thisIsMyEncryptionKeyuVw8QRVNw8HbEWHX2oQlArVtne2TzOpS
Can anyone tell me why this is happening? Or is it suppose to be like this?
You should never provide the encryption key manually unless you have a very good reason to do so. I'd recommend reading the docs on password_hash some more.
Proper usage just lets the system figure it all out on its own:
function hashPassword($password)
{
return password_hash($password, PASSWORD_DEFAULT);
}
PHP will then internally choose the best available algorithm and most fitting number of iterations for current hardware, and generate a safe and unique salt.
To validate the password, then use password_verify, and check for required rehashes, for example in a User class:
class User
{
...
public function verifyPassword($password)
{
if(!password_verify($password, $this->hash))
return false;
if(password_needs_rehash($this->hash, PASSWORD_DEFAULT))
$this->setNewHashAndSaveToDB(password_hash($password, PASSWORD_DEFAULT));
return true;
}
}
By using this construct, you ensure hashed passwords are always kept up to date and secure as hardware capacities progress, automatically when a user logs in.
The policy on what algorithm PASSWORD_DEFAULT chooses, and with which config, is as follows:
Updates to supported algorithms by this function (or changes to the
default one) must follow the follwoing rules:
Any new algorithm must be in core for at least 1 full release of PHP prior to becoming default. So if, for example, a new algorithm
is added in 5.5.5, it would not be eligible for default until 5.7
(since
5.6 would be the first full release). But if a different algorithm was added in 5.6.0, it would also be eligible for default at 5.7.0.
The default should only change on a full release (5.6.0, 6.0.0, etc) and not on a revision release. The only exception to this is
in an emergency when a critical security flaw is found in the
current default.
About Encryption key:
Best Encrуption kеy is a binary blob that's gеnеrated from a rеliablе random numbеr gеnеrator. Thе following еxample would bе rеcommеndеd (>= 5.3):
$keySize = mcrypt_get_key_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB);
$encryptionKey = openssl_random_pseudo_bytes($key_size, $strong); //$strong will be true if the key is crypto safe
But in your case you just set the string, use some random data for this.
This is not my first time using CodeIgniter or Bcrypt, but it is my first time using a specific library of Bcrypt with CodeIgniter. I am having issue integrating thee two together.
Lets get to the code :
public function create_user($value) {
$this -> CI = get_instance(); // Get the CI instance
$this -> CI -> load -> library('bcrypt'); // Use this to load the library from within the model
$hash = $this -> CI -> bcrypt -> password_hash($value[":password"], PASSWORD_BCRYPT, array("cost" => 17)); Here is where things get shaky.
$value[":password"] = $hash; // Here I take the :password placeholder and update the clear text password with the bcrypt pasword
var_dump($value[":password"]); // This gives me NULL, I assume because I am getting errors with $hash = .......
........................................
as per manual with Password_compat :
BCRYPT also allows for you to define a cost parameter in the options
array. This allows for you to change the CPU cost of the algorithm:
$hash = password_hash($password, PASSWORD_BCRYPT, array("cost" =>
10));
On my front end these are the errors I keep getting :
Message: Use of undefined constant PASSWORD_BCRYPT - assumed
'PASSWORD_BCRYPT'
Message: password_hash() expects parameter 2 to be long, string given
I made this into a library itself so I put it into application/librarys folder
This is the file
any help would be great. Thank you.
Okay well looking at this file (which was my old Bcrypt.php file)
You notice I do not have these lines added :
if (!defined('PASSWORD_DEFAULT')) {
define('PASSWORD_BCRYPT', 1);
define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
Well the reason I removed them was because I had put the above snippet of code under the Class Bcrpyt { ... line which would cause an error.
Now I put this snippet code :
if (!defined('PASSWORD_DEFAULT')) {
define('PASSWORD_BCRYPT', 1);
define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
Class Bcrypt {
This is all I had to do for it to work. Silly me! Now it works :
string(60)
"$2y$17$9qgFDbN3361DAQFilGZySuJ4czachQThuskoSj4DihkxjwGFqTx2e"
I am using bcrypt to hash my passwords and it seems that symfony2 authentication system is not production the same hash as php's native crypt function. Bellow is the salt that I am generating for my user password:
$salt = '$2y$13$' . substr(md5(uniqid(rand(), true)),0,21) . '$';
$this->setPassword('test',$salt);
In my security.yml file I am simply doing:
encoders:
Blogger\BlogBundle\Entity\User:
algorithm: bcrypt
iterations: 13
Is there any reason why the two encoding methods would generate different hashes? The library I am using is ircmaxell/password-compat.
Best way to use this within Symfony2 is to use get the encoder.
use \Blogger\BlogBundle\Entity\User;
$user = new User();
$encoderFactory = $this->get('security.encoder_factory');
$encoder = $encoderFactory->getEncoder($user);
$salt = 'salt'; // this should be different for every user
$password = $encoder->encodePassword('password', $salt);
$user->setSalt($salt);
$user->setPassword($password);
If you are using FOSUserBundle, you should use:
use \Blogger\BlogBundle\Entity\User;
$userManager = $this->get('fos_user_manager');
$password = 'password';
$user = new User();
$user->setPlainPassword($password);
$userManager->updateUser($user, true); // second argument tells user manager to flush
After reviewing the source code for Symfony2.3 implementation of bcrypt, they use a function called hash_algorithm() and it seems to yield different results than crypt(). Both use $2y$ versions of bcrypt and I had set the cost for both algorithms to 13 ... however it is more consistent to do the following for setting passwords instead:
$user->setPassword(password_hash($user->getPassword(), PASSWORD_BCRYPT, array('cost' => 13)));
That line of code seemed to fix my problem. The best part is that I don't even have to generate my salt any more.
I have a PHP application I'm converting to Grails. The PHP application used a salt-mechanism to encode the passwords of all its users.
When moving the salt and salted password into the (custom) user database in Grails, I am unable to log in while in my Grails application.
Of course, I'm using the Spring Security Core plugin, and I've added the salt to the User domain class as specified in this tutorial, which I found here: Grails with Spring Security Plugin and Salted Passwords
After running through the tutorial, I am able to add a user and successfully log in with that user:
[BootStrap.groovy]:
new User( username:"user", email:"user#place.com", password:"password", enabled:true).save(flush: true)
(you might also notice the addition of email, which I added using this tutorial)
But I am unable to login using any of the users that were transferred over from the PHP project. If it's any help, here's how their passwords were encoded:
$password = "password";
$salt = bin2hex( openssl_random_pseudo_bytes( 32 ) );
$passwordSalted = hash( "sha256", $salt . $password );
Looks like Burt nailed it with his suggestion here: http://grails.1312388.n4.nabble.com/Spring-Security-Core-plugin-and-multiple-salt-sources-tc3638236.html#a3646256
Basically, I already had my own salt provided from the tutorials I mentioned above, I just needed to combine it with the password using a custom password encoder.
public class CustomPasswordEncoder extends MessageDigestPasswordEncoder {
public CustomPasswordEncoder() {
super("SHA-256");
}
#Override
protected String mergePasswordAndSalt(String password, Object salt, boolean strict) {
if (password == null) {
password = "";
}
if (salt == null || "".equals(salt)) {
return password;
}
return salt + password;
}
}