phpass
PHP Password Library: Easy, secure password management for PHP
PHP Password Library
phpass is a widely used hashing 'framework'.
Is it good practice to salt the plain password before giving it to PasswordHash (v0.2), like so?:
$dynamicSalt = $record['salt'];
$staticSalt = 'i5ininsfj5lt4hbfduk54fjbhoxc80sdf';
$plainPassword = $_POST['password'];
$password = $plainPassword . $dynamicSalt . $staticSalt;
$passwordHash = new PasswordHash(8, false);
$storedPassword = $passwordHash->HashPassword($password);
For reference the phpsalt class:
# Portable PHP password hashing framework.
#
# Version 0.2 / genuine.
#
# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
# the public domain.
#
#
#
class PasswordHash {
var $itoa64;
var $iteration_count_log2;
var $portable_hashes;
var $random_state;
function PasswordHash($iteration_count_log2, $portable_hashes)
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime() . getmypid();
}
function get_random_bytes($count)
{
$output = '';
if (is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function gensalt_private($input)
{
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
function crypt_private($password, $setting)
{
$output = '*0';
if (substr($setting, 0, 2) == $output)
$output = '*1';
if (substr($setting, 0, 3) != '$P$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
return $output;
# We're kind of forced to use MD5 here since it's the only
# cryptographic primitive available in all versions of PHP
# currently in use. To implement our own low-level crypto
# in PHP would result in much worse performance and
# consequently in lower iteration counts and hashes that are
# quicker to crack (by non-PHP code).
if (PHP_VERSION >= '5') {
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
} else {
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
} while (--$count);
}
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
function gensalt_extended($input)
{
$count_log2 = min($this->iteration_count_log2 + 8, 24);
# This should be odd to not reveal weak DES keys, and the
# maximum valid value is (2**24 - 1) which is odd anyway.
$count = (1 << $count_log2) - 1;
$output = '_';
$output .= $this->itoa64[$count & 0x3f];
$output .= $this->itoa64[($count >> 6) & 0x3f];
$output .= $this->itoa64[($count >> 12) & 0x3f];
$output .= $this->itoa64[($count >> 18) & 0x3f];
$output .= $this->encode64($input, 3);
return $output;
}
function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits. While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
function HashPassword($password)
{
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash == $stored_hash;
}
}
Source: (StackOverflow)
i am having difficulty implementing phpass into my login procedure - not knowing how to implement it alongside my current code. i have two questions regarding the matter
1) i need to validate the hashed password entered by the user at this line with the hashed password in the database:
//select all rows where the username and password match the ones submitted by the user
$res = mysql_query("SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = '".$password."'");
i have been looking for an example on the internet that shows this but cannot find any. how can i implement phpass at this point?
2) the password field in my database is currently varchar(32) - do i need to make any adjustments to this to prevent truncuation when hashing new user passwords?
here is the entirety of my code for reference.
<?php
// include the hashing class
require ("resources/phpass/PasswordHash.php");
// if the user has submitted the form
if(isset($_POST['submit'])){
// protect the posted value then store them to variables
$email = protect($_POST['email']);
$password = protect($_POST['password']);
// setup header
include "resources/php/header.php";
//select all rows from the table where the username matches the one entered by the user
$res = mysql_query("SELECT * FROM `users` WHERE `email` = '".$email."'");
$num = mysql_num_rows($res);
// setup display area
echo '<div class="c13"><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td width="69%" align="left">';
//check if there was not a match
if($num == 0){
//if not display an error message
echo 'The <b>e-mail address</b> you have supplied does not exist in our database!<p>
<li><a rel='nofollow' href="index.php">Try again</a></li>
<li><a rel='nofollow' href="register.php">Register a new account</li>
';
// close display area
echo '</tr></td></table></div>';
// setup footer
include "resources/php/footer.php";
exit;
}
else { //if there was continue checking
//select all rows where the username and password match the ones submitted by the user
$res = mysql_query("SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = '".$password."'");
$num = mysql_num_rows($res);
//check if there was not a match
if($num == 0){
//if not display error message
echo 'The <b>password</b> you supplied does not match the one for that e-mail address in our database!<p>
<li><a rel='nofollow' href="index.php">Try again</a></li>
<li><a rel='nofollow' href="register.php">Register a new account</li>
<li><a rel='nofollow' href="forgot.php">Password recovery</li>';
// close display area
echo '</tr></td></table></div>';
// setup footer
include "resources/php/footer.php";
exit;
}
many thanks in advance
btw PasswordHash.php includes:
<?php
#
# Portable PHP password hashing framework.
#
# Version 0.3 / genuine.
#
# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
# the public domain. Revised in subsequent years, still public domain.
#
# There's absolutely no warranty.
#
# The homepage URL for this framework is:
#
# http://www.openwall.com/phpass/
#
# Please be sure to update the Version line if you edit this file in any way.
# It is suggested that you leave the main version number intact, but indicate
# your project name (after the slash) and add your own revision information.
#
# Please do not change the "private" password hashing method implemented in
# here, thereby making your hashes incompatible. However, if you must, please
# change the hash type identifier (the "$P$") to something different.
#
# Obviously, since this code is in the public domain, the above are not
# requirements (there can be none), but merely suggestions.
#
class PasswordHash {
var $itoa64;
var $iteration_count_log2;
var $portable_hashes;
var $random_state;
function PasswordHash($iteration_count_log2, $portable_hashes)
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime();
if (function_exists('getmypid'))
$this->random_state .= getmypid();
}
function get_random_bytes($count)
{
$output = '';
if (is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function gensalt_private($input)
{
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
function crypt_private($password, $setting)
{
$output = '*0';
if (substr($setting, 0, 2) == $output)
$output = '*1';
$id = substr($setting, 0, 3);
# We use "$P$", phpBB3 uses "$H$" for the same thing
if ($id != '$P$' && $id != '$H$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
return $output;
# We're kind of forced to use MD5 here since it's the only
# cryptographic primitive available in all versions of PHP
# currently in use. To implement our own low-level crypto
# in PHP would result in much worse performance and
# consequently in lower iteration counts and hashes that are
# quicker to crack (by non-PHP code).
if (PHP_VERSION >= '5') {
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
} else {
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
} while (--$count);
}
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
function gensalt_extended($input)
{
$count_log2 = min($this->iteration_count_log2 + 8, 24);
# This should be odd to not reveal weak DES keys, and the
# maximum valid value is (2**24 - 1) which is odd anyway.
$count = (1 << $count_log2) - 1;
$output = '_';
$output .= $this->itoa64[$count & 0x3f];
$output .= $this->itoa64[($count >> 6) & 0x3f];
$output .= $this->itoa64[($count >> 12) & 0x3f];
$output .= $this->itoa64[($count >> 18) & 0x3f];
$output .= $this->encode64($input, 3);
return $output;
}
function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits. While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
function HashPassword($password)
{
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash == $stored_hash;
}
}
?>
protect does this:
<?php
function protect($string){
$string = trim(strip_tags(addslashes($string)));
return $string;
}
?>
Source: (StackOverflow)
I'm creating a service which handles a lot of personal data, and therefor it's not appropriate to let the passwords simply fly out. I've been diggin' around to find any possible solutions, and one that caught my attention is phpass. I did read about it on StackOverflow over here.
I'm aware that there are a lot of questions about this subject, but I'd just like to clarify, that phpass is a secure way of storing passwords. The reason to my suspiciousness is that it doesn't use any salts (at least doesn't seem to use), which are, I've been told, the key to secure storing.
My current method is simply a sha512-hash with one user-specific salt, and another site-specific hash. Here's a clip of my PHP-code:
hash_hmac('sha512', $password.$account_specific, $site_specific);
It would be great to hear some expert-ish opinions on this matter. I apologize for creating another thread for the subject that's been and will always be asked about. Thanks in advance.
EDIT:
I've also heard that hashing a password, let's say, 1000 times is also a good way to store passwords. This way hashing only takes a few seconds (at max), but breaking the hashed password takes literally ages?
Source: (StackOverflow)
I want to use phpass-0.3 in Codeigniter, but I get the following error due to open_basedir:
A PHP Error was encountered
Severity: Warning
Message: is_readable() [function.is-readable]: open_basedir
restriction in effect. File(/dev/urandom) is not within the allowed
path(s): (/home/phginep:/usr/lib/php:/usr/local/lib/php:/tmp)
Filename: phpass-0.3/PasswordHash.php
Line Number: 51
Following code:
function get_random_bytes($count)
{
$output = '';
if (is_readable('/dev/urandom') && //Line Number: 51
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
Is there anything I can do to get around this?
Source: (StackOverflow)
Before I knew better, I implemented a login system with md5 as the hashing algorithm. Now that I do know better, I'd like to move to using PHPass. My problem is that the system is already in production and asking all users to change their passwords would be the mother of all headaches.
I've come up with a simple enough solution, but given my previous mistake I'd like to make sure I'm not making an equally grievous mistake due to ignorance.
My solution is as follows:
Change
md5($_POST['pass'])- check md5 hashed password against database value
To
md5($_POST['pass'])- pass md5 hashed password to
$hasher->HashPassword()
- use
$hasher->CheckPassword() to check the re-hashed password against value from DB
Just for clarity, I'm only re-hashing the md5 version because that's what I already have in the DB. It's not intended as an added security measure (although if it is, that's great!).
Source: (StackOverflow)
I've been using PHPass to hash my passwords for a long time. I admit that there's still things I don't fully understand (or ignore) to hash a password properly so today I was reviewing all the info I could find about it.
Reviewing PHPass documents, I've steped into this:
Besides the actual hashing, phpass transparently generates random salts when a new password or passphrase is hashed, and it encodes the hash type, the salt, and the password stretching iteration count into the "hash encoding string" that it returns. When phpass authenticates a password or passphrase against a stored hash, it similarly transparently extracts and uses the hash type identifier, the salt, and the iteration count out of the "hash encoding string". Thus, you do not need to bother with salting and stretching on your own - phpass takes care of these for you.
I've bolded the sentence that bothered me.
I always though that the salt should be somewhat secret, in the sense that it should not be known to the attacker. So if a understood correctly, PHPass stores the salt used in the same hash so it is able to use it when comparing passwords and check if valid.
My questions are
- Is this secure? If the hash is compromised, the attacker has the salt used to hash the password... There's something I miss here.
- I'm here really free to bother about salting passwords? Can I really rely on PHPass?
Source: (StackOverflow)
I need to have password protection on some web pages outside of the main Wordpress site. The users would prefer to use the usernames and passwords they already have in the Wordpress.
The obvious solution would seem to be to use the Apace module for Mysql based authentication: mod-auth-mysql.
This however does not seem to be possible, because Wordpress uses Phpass password encryption, which is not supported by mod-auth-mysql.
Is there any way to get around this limitation?
Source: (StackOverflow)
With 'portable_hashes' turned on.
I've noticed that for whatever reason, the hashes it generates aren't always the same - but always return as valid when passed through 'CheckPassword'. I've also noticed that 'PHP_VERSION' is used in the generation of the hash - these two things combined have me worried... How portable is portable? Can I move the hashes (Saved in a user database) between servers, linux, windows, 64-bit, 32-bit, etc. - and still have them validate? What would I have to do to make the passwords not validate anymore?
The reason I ask is because I'm using phpass for passwords in my framework which will power several of my sites, many of which currently have several thousands of users - and there have been cases where I've had to move them onto different servers, and of course upgrade php. I also may switch one or two of them off of Apache to, say, lighthttpd or something similar. Needless to say I'm extremely paranoid I'm going to have a support nightmare someday and I won't be able to fix it in any other way than emailing new passwords to everyone (Which sounds really insecure).
If there's even the slightest chance that the passwords will ever be made invalid - what steps would I have to take to make my own password hash generator? I already use a 16-byte random salt (Per-user), and other than that the only other issue is stretching - right?
Source: (StackOverflow)
I'm getting the following warning when using PHPass (http://www.openwall.com/phpass/):
open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s)
Although this is not a big problem (it will fall back on something else), I'd like not to have this warning. The PHP application should run on different servers, some users will be able to add that path to their allowed open_basedir paths, but others won't have access to that configuration.
My first guess was to check readability with is_readable(), however, I'm still getting the warning.
The question: How do I check if a certain path or file has been added to the open_basedir paths?
Source: (StackOverflow)
I'm reading phpass manual. At some point, it checks the result of the hashing like this:
$hash = $hasher->HashPassword($pass);
if (strlen($hash) < 20)
fail('Failed to hash new password');
I understand that's the minimum lenght for a phpass hash, but I don't understand why would it fail. Is it even possible? I mean, who/what should I blame if it happens? How to prevent that? I also posted a comment about this in the web page.
For reference, you can find the code of PasswordHash::HashPassword() in this question: How can * be a safe hashed password?
Source: (StackOverflow)
I am currently writing a program and part of it involves securely creating password hashes to store in a database and I came across the phpass framework, which seems to be highly recommended. In phpass, they seem to go through great lengths to produce a salt that is as truly random as possible to be used for the hashes (e.g. reading from /dev/urandom).
My question is, what is the benefit of doing this as opposed to simply using uniqid()? Isn't the point simply to make sure that the salts used for the hashes are different from each other rather than random? Wouldn't using a truly random salt actually be worse than using a unique salt since it could potentially produce collisions while uniqid() won't?
Edit: My question wasn't about whether or not "true" randomness exists in computer environments, so maybe I misphrased it a bit, however my question was more along the lines of whether a "more" random salt has any benefit over more uniqueness as a salt.
Source: (StackOverflow)
I'm checking out the PHPass Library that has been recommended in a lot of answers here on SO. But when I look at the generated passwords, I see something like this:
Now some of these are just 1234, some are a bit more complex. Some are really complex (uppercase, lowercase, characters) etc. But still, I keep seeing that the first 7 characters are always same, no matter what the password is. Isn't this making it easy to guess? I don't know much about rainbow or dictionary attacks, but this looks weird. Is this usual? Is this a bug? Is the framework good enough to use in production environments?
Source: (StackOverflow)
Just want to use PHPass in Codeigniter to hash the password. I downloaded the zip file from phpass website, extracted the content, and copied the PasswordHash.php file into my libraries folder.
Then I loaded that library in my controller and tried to hash password but it gave following errors
Missing argument 1 for PasswordHash::PasswordHash(), called in ...
Missing argument 2 for PasswordHash::PasswordHash(), called in ...
Undefined variable: iteration_count_log2 ...
Undefined variable: portable_hashes ...
Please check my controller code below and help me to find the mistake:
$this->load->library('PasswordHash');
$password = $this->input->post('password');
$hash = $this->passwordhash->HashPassword( $password );
Source: (StackOverflow)
I am building a external application for which user login credentials will be taken from WordPress site database table 'users'
WordPress uses PHPass hashing , I am unable to validate username and password for my external application as the password in database table 'users' is hashed
I am trying to check plain password with hashed password using wp_check_password function but I am failing, nothing is written back with this code
<?php
$password = '965521425';
$hash = '$P$9jWFhEPMfI.KPByiNO9IyUzSTG7EZK0';
require_once('/home/nhtsoft/public_html/project/wp-includes/class-phpass.php');
function wp_check_password($password, $hash) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
$wp_hasher = new PasswordHash(8, true);
}
$check = $wp_hasher->CheckPassword($password, $hash);
return apply_filters('check_password', $check, $password, $hash);
}
?>
this code is giving me an empty page.
How to check this password so that I can use these WordPress credentials for external app login?
Source: (StackOverflow)
I have a php site with several thousand users that is using PHPass for password hashing. I've written a new Rails site that is using Devise for authentication. I'm trying to seamlessly migrate users over to the new rails site. Does anyone know a way I can migrate their passwords over to the new site?
I originally thought it would be as simple as copying a salt over, but clearly it's not that simple.
I found this question/answer, but I can't figure out what my PHPass salt is, and how I would use that to translate the passwords into something Devise can understand.
Any help is really appreciated!
Source: (StackOverflow)