1

I can't find out how Joomla encrypted passwords. My problem is that i want to make the exact method as Jommla does in a simple php page with a form and without any OOP method.

So this is my input as a password: test

and this is my output as an ancrypted password in Joomla database: $2y$10$XXrVok3/3Otqg6FmqFzUmObA.rLpLt.BswwSJ7d.iCPoGSJtcqSvm

I found out that it is maybe in connection with the BLOWFISH encrytion, but it needs something else (for example: generated salt or a token in the database which i couldn't find)

Dan
  • 13
  • 1
  • 3
  • Possible duplicate of [using php to create a joomla user password?](http://stackoverflow.com/questions/2727043/using-php-to-create-a-joomla-user-password) – Jocelyn Jun 29 '16 at 23:38

3 Answers3

3

Joomla! uses PhPass.

root/libraries/phpass/PasswordHash.php

have a look here. you will see here how the password is generating.

The $2y is the default (and preferred) prefix on bcrypt hashes. As for code, you'll want to look inside JUserHelper's hashPassword and verifyPassword methods to see how Joomla's working with things right now.

Some Referances -

https://github.com/joomla/joomla-cms/blob/3.4.1/libraries/joomla/user/helper.php#L296-L387

https://docs.joomla.org/API15:JUserHelper/getCryptedPassword

https://docs.joomla.org/API15:JUserHelper/getSalt

Check the links, I hope you it will help you ;)

Community
  • 1
  • 1
Joomler
  • 2,610
  • 3
  • 30
  • 37
1

Hi the encryption is made by the class named 'PasswordHash.php' that in joomla is located under libraries/phpass.

If you want to use in a php script out of joomla framework you can import only this class. This is a exhample:

<?php
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(10, TRUE);
$correct = 'test';
$hash = $t_hasher->HashPassword($correct);
print 'Hash: ' . $hash . "\n";
//Get password to check from get variable
$p=$_GET['p'];
//check if is correct
$check = $t_hasher->CheckPassword($p, $hash);
if ($check){
    print 'CORRECT PASSWORD';
    }
else {
    print 'WRONG PASSWORD';
    }
?>

Then you call this script with yourcriptname.php?p=PASSWORDTOCHECK.

Here you can find the documentation of the class http://www.openwall.com/phpass/

Davide
  • 11
  • 4
  • @Dan you will get all the required things in `configuration.php` file – Joomler Feb 11 '16 at 08:54
  • i found a secret variable in the configuration.php. But unfortunately i dont know exactly how can i use it to generate the password what i need – Dan Feb 11 '16 at 09:08
  • The "secret word" has nothing to do with the password hash. Password hashing is not exclusively handled by phphash. Unless you are using an out of date version of php use the native hashing. I would just copy the code from where the core cms handles it. – Elin Feb 12 '16 at 02:30
0

Thank you your reply

I use your code in my page with a form but the output ($hash) is not the same that i want

    <?php
    require 'PasswordHash.php';
    if(isset($_POST['send'])) {
    $t_hasher = new PasswordHash(10, TRUE);

    $correct = $_POST['pass'];

    $hash = $t_hasher->HashPassword($correct);

    print 'Hash: ' . $hash . "\n";
    }
?>

<form action="" method="post">

    <input type="text" name="pass">

    <input type="submit" name="send" value="send">

</form>

this is my code and the class is in the root directory so it works fine. So the output is always different, This hash might stored somewhere in the code or in the database to generate this ($2y$10$XXrVok3/3Otqg6FmqFzUmObA.rLpLt.BswwSJ7d.iCPoGSJtcqSvm) password

Dan
  • 13
  • 1
  • 3