replicating wordpress password hash in mysql

So I would like to be able to change password hashes that exist in my wordpress wp_user table in the user_pass column. I am hoping to be able to write something as followed:

# simplified version of what is desired.
UPDATE `wp_user` SET user_pass = MD5('123') WHERE user_email = 'some_dudes@someplace.com';

Basically, I want to be able to set a users password in mysql such that after I set it using a query, wordpress will continue to accept this password as valid when a user types it in through the sign-on form. I am reviewing the PHPass info regarding this as well as the contents of class-phpass.php in the wordpress source. From my research, this seems extremely complicated to do, if not unfeasible. Am I missing something or is this actually intended to be hard or potentially obfuscated? Would it be possible to replicate this functionality in MySQL? Any help would be appreciated. Thank you kindly.

Read More

EDIT REGARDING PROGRESS:
It is the case that if you only need a development level of security then you can actually use the following:

UPDATE `wp_user` SET user_pass = MD5('123') WHERE id = 1342;

I should better explain why this works. WordPress will for legacy compatibility reasons default to an MD5 Hash. Basically, when a password is passed to word press it runs the wordpress PHPass hash, this will fail for something like MD5('123') Then wordpress will try other, simpler hash algorithms, like SHA1 and finally MD5. Then if a match is found on one of these, wordpress actually updates the password column of the record in question. It updates the given password to PHPass. After this happens your still good to go. This basically works perfectly for a dev environment, but a MySQL query that matches the work of PHPass is an epic task. If I crack that, that will be my next update. Apparently wordpress is running salt appended blowfish hashes about 8000 times over to generate the final hash result.

Related posts

Leave a Reply

1 comment

  1. Quite easy actually you even posted a correct sql from what I see.

    <?php
    
    $connection = mysql_connect('SERVER', 'USERNAME', 'PASSWORD');
    
    mysql_select_db($database, $connection);
    
    mysql_query('SQL_YOU_POSTED', $connection);
    
    ?>