Support » Plugins » Hacks » How is the user password encrypted? wp_hash_password

Viewing 4 replies - 1 through 4 (of 4 total)
  • Xephan

    (@xephan)

    WordPress uses the phpass library to do encryption. Although it can use md5 encryption, it’s iterated for password stretching and it’s stored somewhat differently that’s why you see the $P$ prefix which is phpass’ identifier for the encryption used.

    I’m not quite sure what you are trying to achieve, maybe login integration to WordPress from else where. In which case, you should simply compare the result from wp_hash_password (I haven’t tried it and assume this is the correct function in WP) to what is stored on the database.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Try something more like this:

    include '/wp-includes/class-phpass.php');
    $hash = $user->user_pass;
    $wp_hasher = new PasswordHash(8, TRUE);
    $check = $wp_hasher->CheckPassword($password, $hash);

    If $check is true, they match.

    BTW, the reason you can’t generate the same hash twice is because of the use of a salt. Salting the password when hashing makes the hash harder to hack using dictionary attacks. This is why generating the hash again and comparing won’t work. The hash isn’t the same every single time. The check function takes part of the hash (the salt) and the password and recomputes the hash with that salt, thus allowing it to check properly.

    Xephan

    (@xephan)

    I’ll recommend that to be forward compatible, use the wordpress wrapper functions instead of directly accessing the phpass function. We never know if WP devs or the site owner decide to change the hash parameters or add a new hasher option.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    True. You can use the wp_check_password() function, it’s just a wrapper around this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How is the user password encrypted? wp_hash_password’ is closed to new replies.