Is it possible to get a user with just the password field?

April 5, 20230 Views

I tried doing something like this:

$user = $wpdb->get_row('
    SELECT * 
    FROM ' . $wpdb->users . ' 
    WHERE user_pass = "' . wp_hash_password('password') . '"'
);

But the wp_hash_password function generates a different string from the one in the database, is it possible?

What I’d like to do is have a custom form in my template that just asks for a password (think of it like the username/pwd screen to the WP admin area without the username) so I’d hash whatever the user inputs, compare it with my DB and if it matches take that user and log him in.

Post Views: 0

3 comments

Anonymous says:

April 5, 2023 at 1:56 am

Password is not unique all the time.

According to worst password statistics, password is the most used Password of all time.

I’m pretty sure some of your users too use that password.

So multiple rows will contain the same hash. Hence its not possible.

By the way, this is a weird question.

Log in to Reply

Per the comments I’m going to answer a paraphrased question – “How to make a login form which shows only the password field in most cases”.

The answer is to store the user name in a very long term cookie (a year?) every time the user logins.

function wpse82578_set_user_cookie($logged_in_cookie, $expire, $expiration, $user_id, $state) {
  if ($state == 'logged_in') { // user has logged in - store his name in a 'username' cookie
    $user = get_user_by( 'id', $user_id );
    setcookie('username', $user->user_login, time() + 365*24*60*60, COOKIEPATH, COOKIE_DOMAIN);
  }
}
add_action('set_logged_in_cookie', 10,5);

Now in you PHP code you can check if the cookie is set and show or hide the user name field in your form.

function wpse82578_echo_login_form() {
   ...
   if (isset($_COOKIE['username'])) { // already know the user name, no point in asking for it again so just put it as hidden field
     <input type="hidden" name="log" value="<?php esc_attr($_COOKIE['username'])?> />
   else { // show the field+label, ripped from wp_login_form
        <p class="login-username">
            <label for="' . esc_attr( $args['id_username'] ) . '">' . esc_html( $args['label_username'] ) . '</label>
            <input type="text" name="log" id="' . esc_attr( $args['id_username'] ) . '" class="input" value="' . esc_attr( $args['value_username'] ) . '" size="20" tabindex="10" />
        </p>
    }
}

No warranties for this code, but I think it is the best approximation to what you want without sacrificing security and messing with the WordPress user system.

Here’s what I ended up doing in case someone else need a similar functionality:

// Simple text password
$client_password = $_POST['client_pwd'];

$users = get_users();

// Iterate over all users and see if the password matches
foreach ($users as $user) {
    // If it matches log the user in
    if (wp_check_password($client_password, $user->user_pass)) {
        $user = wp_signon(
            array(
                'user_login'    => $user->user_login,
                'user_password' => $client_password
            )
        );

        if (!is_wp_error($user)) {
            // Redirect or do something else
        }
    }
}

Leave a Reply Cancel reply

3 comments

Password is not unique all the time.

Social Network

Related posts

Leave a Reply Cancel reply

3 comments

Password is not unique all the time.

Social Network