Password Encryption

  • Knight Vash

    (@infiniteknight)


    17 years, 3 months ago

    Evening…

    I am currently developing a baseline plugin for WordPress 2.7, that will allow me to either update or add users from an outside source. The trick is, due to the way the plugin is being designed, the security requirements, and planned expansions of this plugin, I have run into a lack of documentation, at least that I can find regarding the WP core…

    Can anyone tell me how WP encrypts it’s passwords? What I am looking to do, is add the code to my plugin, that will take an externally provided email, password, and other data, and perform the following basic steps:

    1. Verify that the email exists
    1. If email exists then decrypt the password from external source…
    2. Re-encrypt the password from the external to meet WP specs…
    3. Verify that the encrypted password now matches the one stored in the DB…
    1. If the two match, then update the data as specified…
    2. Otherwise abort, and notify user, sender, and site owner of incorrect match…
    • If email doesn’t exist, then proceed to add a new user to the system…

      • Hopefully this makes sense, as I can’t really post too much here right now, without giving away what I am working on… I already have coded the plugin to retrieve the data from the DB, and check the email, but outside of my test system I don’t dare even put the code on my online test site for my beta testers to work with till I can also verify the password is a match for those who are only updating and linking the WP account with the external account / system. I can provide a bit more via email or private message so feel free to catch up with me that way if you need more help with what I am looking for.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter Knight Vash

    (@infiniteknight)

    17 years, 3 months ago

    Okay, given the lack of direct answers here, and a good deal more digging on the net, I have come across a partial answer to what I am after…

    I found the code for dealing with passwords, including a password check function in the following location:

    /wp-includes/pluggable.php

    function wp_check_password($password, $hash, $user_id = '') {
	global $wp_hasher;

	// If the hash is still md5...
	if ( strlen($hash) <= 32 ) {
		$check = ( $hash == md5($password) );
		if ( $check && $user_id ) {
			// Rehash using new hash.
			wp_set_password($password, $user_id);
			$hash = wp_hash_password($password);
		}

		return apply_filters('check_password', $check, $password, $hash, $user_id);
	}

	// If the stored hash is longer than an MD5, presume the
	// new style phpass portable hash.
	if ( empty($wp_hasher) ) {
		require_once( ABSPATH . 'wp-includes/class-phpass.php');
		// By default, use the portable hash from phpass
		$wp_hasher = new PasswordHash(8, TRUE);
	}

	$check = $wp_hasher->CheckPassword($password, $hash);

	return apply_filters('check_password', $check, $password, $hash, $user_id);
}

    Now that I have the function I need, the next thing I need to know is whether I need to declare it as a global or not in my plugin, like I do $wpdb…

    realcom

    (@realcom)

    16 years, 8 months ago

    Did you get your plug-in working? I have a members web site which requires login with personal username and password and I want to add a WordPress blog facility within the site. Want one user name and password for both facilities.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Password Encryption’ is closed to new replies.