How WordPress encrypt password?

1 Views

I am working with site that is done with WordPress, and I need to add some parts that are outside WP, and to check user login, but I can’t find how WP is encrypting password before it writes it in DB…

I tried with md5 but it’s not…

Read More

Does anyone know how to check password outside WP, without using it’s pluggins/checkers, clear PHP code?

Post Views: 1

Related posts

Leave a Reply

3 comments

  2. It sounds like you want to use external code to validate usernames/passwords against WP’s database. If that’s correct, you’re going to spend a lot of time reinventing the wheel. But for a good example of how to do this using straight PHP, it’s a good idea to take a look at the core WP functions that already do it.

    Case in point, `wp_check_password()’:

    function wp_check_password($password, $hash, $user_id = '') {
    global $wp_hasher;

    // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = ( $hash == md5($password) );
        if ( $check && $user_id ) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }

        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }

    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if ( empty($wp_hasher) ) {
        require_once ( ABSPATH . 'wp-includes/class-phpass.php');
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, TRUE);
    }

    $check = $wp_hasher->CheckPassword($password, $hash);

    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

    First, WordPress checks to see if the user’s hashed password is still using old-school MD5 for security. This is to preserve backwards compatibility for updates. If the password is MD5, then WordPress will automatically replace it with a new hash using the new system (the call to wp_set_password()). If it isn’t MD5, then WP moves on to the newer hashing setup.

    First, we include the Portable PHP Hashing Framework (already mentioned by @John Watson in another answer) and create an instance of it, storing it in the global $wp_hasher variable.

    We then pass in the plaintext password and the hash to verify it against, using the CheckPassword() method of the library.

    If you want to use this in an external library, you’ll have to first include/require the library, then instantiate it, then pass in your plain text password and its hash. So some untested psuedo-code …

    function validate_password( $plaintext, $hash ) {
    require_once( 'class-phpass.php' );
    $hasher = new PasswordHash(8, TRUE);

    return $hasher->CheckPassword( $plaintext, $hash );
}

  3. require_once( '/path/to/wp-includes/class-phpass.php' );
$wp_hasher = new PasswordHash( 8, TRUE );
$password = 'swordfish';
$hashed_password = $wp_hasher->HashPassword( $password );