I have a website with woo commerce installed in it. I am currently using it as an online store. However I want to make an app version of the website so that people can sign up, sign in and purchase stuff on the app as well as the website.
So I figured I would have to encrypt the users password the same way woo commerce encrypts it so that a password sent from the app would have the same hash as one sent through the woo commerce.
The problem is I don’t know how woo commerce encrypts their passwords and I tried searching it up but didn’t get anything.
Although I had a hunch that WordPress and Woo commerce encrypted passwords in the same way until I made two accounts with the same passwords, one through WordPress and one through woo commerce and their hashes came out differently on my database.
If someone can help me figure out how to have two identical password hashers preferably without doing away with the woo commerce login system I already have, I would be gratefully.
Alternatively: If someone could show me where the php file that woo commerce uses to encrypt their passwords is that would be awesome too!
Thanks in advance.
This was apparently too long for a comment…
If you look in the wp_users table after you change someone’s password, their user_pass field is going to look like
$P$BCaLL1.Kcf3mWvwhEvQedwyX.etREw.
. The$P$
is a flag indicating that PHPass generated the password. The next 8 charactersBCaLL1.K
are a random salt that’s unique for every user. And the remaining characters are the result of running a hashing function (bcrypt) on the password a number of times, appending the salt to the value each time it’s about to run the hash again.You might think having the salt there in plaintext is a security risk, but having a unique salt per record makes it harder to use rainbow tables to crack the password, and running the hash algorithm multiple times and salting it each time makes it computationally expensive to crack.
To answer your original question, the
wp_hash_password()
function is the place to start. You can see how it interacts with PHPass to generate the hash.It turns out that woo commerce and WordPress do use the same password hasher (In this case phpass).
However the password hasher does not hash the same password in the same way twice. So the only way to check if a password given in plain text is the same as a password that was encrypted is to run a special function.
In this case the special function for phpass is ‘checkpassword’:
In the example it checks the plain text password against a hash to see of they are the same. More information about it can be found in the ‘test.php’ file present in the folder of a download of phpass.
In my case I just had to download phpass and implement the ‘checkpassword’ function.