Support » Plugin: External Login » SHA1 and MD5

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author tbenyon

    (@tbenyon)

    Hey @danfelbm,

    The plugin supports custom hashing systems.

    I recently wrote a support post on it here:
    https://wordpress.org/support/topic/custom-hash-for-password/

    Does this answer your question?

    Thanks,

    Tom 🙂

    Daniel

    (@danfelbm)

    Thank you @tbenyon,

    UNA uses the following encryption:
    SHA1(CONCAT(MD5(‘the_password’), salt))

    The salt being the individual pass salt and the_password being the raw user pass. However in the hook exlog_hook_filter_authenticate_hash I don’t see a way to retrieve this salt information.

    Any advise?

    Daniel

    (@danfelbm)

    That’s the salt right there, sorry.

    function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
        return sha1(md5($password) . $hashFromDatabase);
    }
    add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

    Seems to be working just fine now.

    Any advise if the code above is wrong?

    • This reply was modified 2 months ago by Daniel.
    • This reply was modified 2 months ago by Daniel.
    Plugin Author tbenyon

    (@tbenyon)

    Hey Daniel,

    This doesn’t look right unfortunately but it is a good start.

    The goal here is not to return the hash but to validate if the password provided is correct.

    Inevitably checking that the hash that you generate in this function, matches the hash that is stored in your database.

    The salt is not $hashFromDatabase. It is something that will be unique to your external system. In some systems every user has their own salt (the most secure way of doing it) and in some systems there is one salt for all systems.

    You’ll have to research your system to find out what it uses for salting passwords when hashing.

    Your end solution will look something like this:

    
    function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
        return sha1(md5($password) . 'someSaltHere') === $hashFromDatabase;
    }
    add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
    

    If you’re confused about what a salt is and this is not making sense I would strongly recommend this article:
    https://martinfowler.com/articles/web-security-basics.html
    Skip to the title: “Hash and Salt Your Users’ Passwords”

    Hope this helps 🙂

    • This reply was modified 2 months ago by tbenyon.
    Daniel

    (@danfelbm)

    Thank you very much for your time @tbenyon !
    Indeed, in the case of UNA each user has its own salt. I’ll try to come up with a proper solution.

    Plugin Author tbenyon

    (@tbenyon)

    If that salt is stored in the user table, you will have access to it here. If that is the case let me know and I can show you how to make it work 🙂

    Plugin Author tbenyon

    (@tbenyon)

    Hey @danfelbm,

    I haven’t heard back for over a week so I presume you know what you’re doing now so I’ll mark this as resolved.

    If you have any more questions though, don’t hesitate to come back to me and I’ll be more than happy to help. 🙂

    Thanks,

    Tom 🙂

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.