Could you be more clear? I’m not understanding what it is that you’re trying to do.
WordPress checks its passwords like this:
$password = 'plaintext password';
$hash = 'hash of the password from the database';
require_once( '/path/to/wp-includes/class-phpass.php');
$wp_hasher = new PasswordHash(8, TRUE);
$check = $wp_hasher->CheckPassword($password, $hash);
If $check comes back true, you’re authenticated.
If you want to create a new hash for a password, then do this:
$hash = $wp_hasher->HashPassword($password);
this is all new to me and I’m trying to understand this whole concept of “hashing.” I used what you posted above, plugging in my password and what it displayed on the screen doesn’t equal what’s in my db table. I’m used to authenticating against md5 hashes.
Where do I get this value from?
“$hash = ‘hash of the password from the database’;”
Do I have to pull the hash out of the DB first and then compare it against what the user inputs?
Do I have to pull the hash out of the DB first and then compare it against what the user inputs?
Well, only if you want to check if the hash matches, I suppose.
Look, this is no different than MD5 hashing. You take a password, run it through a function, and get some kind of gibberish back. WordPress doesn’t use MD5 anymore because it’s been broken using rainbow tables and such.
$password = 'plaintext password';
require_once( '/path/to/wp-includes/class-phpass.php');
$wp_hasher = new PasswordHash(8, TRUE);
echo $wp_hasher->HashPassword($password);
That will output the hash that is supposed to be in the database.
I get what you’re saying and I just tried the code you put up just now and the hash DOESN’T match what’s in the database!
If i keep refreshing the page, I get a new hash, so how could it possibly match what’s in the DB table?
OHHH. I see what the problem is. You don’t know about salt. I should have realized, it’s not a normal MD5 thing. π
See, this password hash is salted to prevent dictionary attacks. That is, some random amount of bytes is added to the password and the hash. That means that you can generate a hash and it’ll be different each time. Every generated hash will work, but they’ll all be different.
To VALIDATE a hash, you have to pull it out of the database first, then run it through the CheckPassword() function, like I described before.
bingo! that’s all i needed to know. I’m sitting here playing w/ the functions and I get a completely different hash each time! thanks for the clarification. i’ll play with it a little more.
So my assumption with pulling it from the DB first is correct?
So my assumption with pulling it from the DB first is correct?
Yes, to check if it is correct you have to pull the hash and let the CheckPassword function do the work. Sorry I didn’t see where you were going with it before. π
Sorry to jump into this thread. I do have a related question. Having the password salted means that if I do this
UPDATE wp-users SET user_pass = MD5('password') WHERE user_login = 'admin'
would not properly reset my password ? So all the procedures described elsewhere in the CODEX are in fact wrong now ? How can I reset a password, for example, is the user email is no longer accessible ?
Thanks so much.
guischarf:
I used this code, taken from the Codex Resetting Your Passord article, successfully to change the admin password in a MySQL 4.1.22-standard environment:
UPDATE wp_users SET user_pass = MD5( 'celery' ) WHERE user_login = 'admin'
Also wp-users is not the same as wp_users. Please confirm your table names are prefixed properly with the $table_prefix value in wp-config.php.
I also used phpMyadmin as described in Resetting Your Password to successfully change the password. Using WordPress 2.6.2.
I, too, have a related question. I have a section of my site using home-rolled software that doesn’t use any of the WP includes. But I’d like to be able to use WP for admin log-in (don’t need it for users). That means I need my software to know when admin is logged in, which I presume WP achieves using the cookies. I used to be able to take the info from the cookie, hash the has and compare this with the wp_user table. But all this salting of hashes has made life more difficult.
Is there any way to take the info from the cookies and compare this with the DB to see if a user is logged in? I presume WP does this itself, but is there any kind of API for this? Presumably, $wp_hasher->CheckPassword($password, $hash); works only with plain text passwords…
second what rotsky said. I guess I could just take it for granted that nobody will go to the trouble of having a wp_logged_in_ cookie with the username in it, but it’d be nice to be a little bit tighter than that.
ok gurus is there anything wrong with including the following code in apps that need to authenticate using wordpress cookies?
require_once 'wp-config.php';
require_once 'wp-settings.php';
require_once 'wp-includes/pluggable.php';
$user_id = wp_validate_auth_cookie();
(etc)
Is the code used above still good for 2.7.1?
hi,
bulldoggy have you authenticate using wordpress cookies? I have an app that need it.
Thanks
