WordPress Password Hash Generator PHP - Kvcodes
X

Congrats, You are Subscribed to Receive Updates.

WordPress Password Hash Generator PHP


WordPress Password Hash Generator PHP. Some of the days I used to google, what kind of mechanism used in WordPress to create a hashing password. Which really people like developer needs to get idea. sometimes, we may need to crack the secret to avoid some critical situations.

So I have found it with help of WordPress to identify the function,  and the class, that they used to make passwords in hashing format.  Which is Blowfish hashing alogritham.

The class is available as opensource for you,  You can get the class from  here.

class PasswordHash {
	var $itoa64;
	var $iteration_count_log2;
	var $portable_hashes;
	var $random_state;

	function PasswordHash($iteration_count_log2, $portable_hashes){
		$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

		if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
			$iteration_count_log2 = 8;
		$this->iteration_count_log2 = $iteration_count_log2;

		$this->portable_hashes = $portable_hashes;

		$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
	}

	function get_random_bytes($count){
		$output = '';
		if ( @is_readable('/dev/urandom') &&
		    ($fh = @fopen('/dev/urandom', 'rb'))) {
			$output = fread($fh, $count);
			fclose($fh);
		}

		if (strlen($output) < $count) {
			$output = '';
			for ($i = 0; $i < $count; $i += 16) {
				$this->random_state =
				    md5(microtime() . $this->random_state);
				$output .=
				    pack('H*', md5($this->random_state));
			}
			$output = substr($output, 0, $count);
		}

		return $output;
	}

	function encode64($input, $count){
		$output = '';
		$i = 0;
		do {
			$value = ord($input[$i++]);
			$output .= $this->itoa64[$value & 0x3f];
			if ($i < $count)
				$value |= ord($input[$i]) << 8;
			$output .= $this->itoa64[($value >> 6) & 0x3f];
			if ($i++ >= $count)
				break;
			if ($i < $count)
				$value |= ord($input[$i]) << 16;
			$output .= $this->itoa64[($value >> 12) & 0x3f];
			if ($i++ >= $count)
				break;
			$output .= $this->itoa64[($value >> 18) & 0x3f];
		} while ($i < $count);

		return $output;
	}

	function gensalt_private($input){
		$output = '$P$';
		$output .= $this->itoa64[min($this->iteration_count_log2 +
			((PHP_VERSION >= '5') ? 5 : 3), 30)];
		$output .= $this->encode64($input, 6);

		return $output;
	}

	function crypt_private($password, $setting){		
		$output = '*0';
		if (substr($setting, 0, 2) == $output)
			$output = '*1';

		$id = substr($setting, 0, 3);
		# We use "$P$", phpBB3 uses "$H$" for the same thing
		if ($id != '$P$' && $id != '$H$')
			return $output;

		$count_log2 = strpos($this->itoa64, $setting[3]);
		if ($count_log2 < 7 || $count_log2 > 30)
			return $output;

		$count = 1 << $count_log2;

		$salt = substr($setting, 4, 8);
		if (strlen($salt) != 8)
			return $output;

		if (PHP_VERSION >= '5') {
			$hash = md5($salt . $password, TRUE);
			do {
				$hash = md5($hash . $password, TRUE);
			} while (--$count);
		} else {
			$hash = pack('H*', md5($salt . $password));
			do {
				$hash = pack('H*', md5($hash . $password));
			} while (--$count);
		}

		$output = substr($setting, 0, 12);
		$output .= $this->encode64($hash, 16);

		return $output;
	}

	function gensalt_extended($input){
		$count_log2 = min($this->iteration_count_log2 + 8, 24);
		# This should be odd to not reveal weak DES keys, and the
		# maximum valid value is (2**24 - 1) which is odd anyway.
		$count = (1 << $count_log2) - 1;

		$output = '_';
		$output .= $this->itoa64[$count & 0x3f];
		$output .= $this->itoa64[($count >> 6) & 0x3f];
		$output .= $this->itoa64[($count >> 12) & 0x3f];
		$output .= $this->itoa64[($count >> 18) & 0x3f];

		$output .= $this->encode64($input, 3);

		return $output;
	}

	function gensalt_blowfish($input){
		$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

		$output = '$2a$';
		$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
		$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
		$output .= '$';

		$i = 0;
		do {
			$c1 = ord($input[$i++]);
			$output .= $itoa64[$c1 >> 2];
			$c1 = ($c1 & 0x03) << 4;
			if ($i >= 16) {
				$output .= $itoa64[$c1];
				break;
			}

			$c2 = ord($input[$i++]);
			$c1 |= $c2 >> 4;
			$output .= $itoa64[$c1];
			$c1 = ($c2 & 0x0f) << 2;

			$c2 = ord($input[$i++]);
			$c1 |= $c2 >> 6;
			$output .= $itoa64[$c1];
			$output .= $itoa64[$c2 & 0x3f];
		} while (1);

		return $output;
	}

	function HashPassword($password){
		if ( strlen( $password ) > 4096 ) {
			return '*';
		}

		$random = '';

		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
			$random = $this->get_random_bytes(16);
			$hash =
			    crypt($password, $this->gensalt_blowfish($random));
			if (strlen($hash) == 60)
				return $hash;
		}

		if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
			if (strlen($random) < 3)
				$random = $this->get_random_bytes(3);
			$hash =
			    crypt($password, $this->gensalt_extended($random));
			if (strlen($hash) == 20)
				return $hash;
		}

		if (strlen($random) < 6)
			$random = $this->get_random_bytes(6);
		$hash =
		    $this->crypt_private($password,
		    $this->gensalt_private($random));
		if (strlen($hash) == 34)
			return $hash;

		return '*';
	}

	function CheckPassword($password, $stored_hash){
		if ( strlen( $password ) > 4096 ) {
			return false;
		}

		$hash = $this->crypt_private($password, $stored_hash);
		if ($hash[0] == '*')
			$hash = crypt($password, $stored_hash);

		return $hash === $stored_hash;
	}
}

Password Creation :

You can simple Require this file, where you need to create and check passwords. Than you can work like this.

<?php 
$wp_hasher = new PasswordHash(16, true);   // 16 digit hashing password
$pass = $wp_hasher->HashPassword( trim( $posted['password'] ) ); //$posted['password'] is your password

This is how, you can get the new password for your string which is similar like WordPress. Than you can store it in the database.  Now, Let’s see how to check it.

Check And Verify:

Let’s see an example, then you can understand it easily.

$password_hashed = $user['password'];  // here the password to check
$wp_hasher = new PasswordHash(16, true);
if($wp_hasher->CheckPassword($pass, $password_hashed)) {
	echo "Yes password is correct" ; 		
} else {
	echo "Entered Password is wrong";
}

That’s it.  Enjoy this happy coding, if you have clarifications post your comment below.  Let me help you.

commenter

About Varadharaj V

The founder of Kvcodes, Varadharaj V is an ERP Analyst and a Web developer specializing in WordPress(WP), WP Theme development, WP Plugin development, Frontaccounting(FA), Sales, Purchases, Inventory, Ledgers, Payroll & HRM, CRM, FA Core Customization, OpenCart Theme Development, PHP, HTML, CSS, jQuery, Bootstrap development and content SEO.

10 comments

  1. commenter

    Hi, very curious to see if this will do what I think. Im trying to get my android volley login system to read the username and password from my wordpress database. My login screen sends the user’s username and password to a php script on my server which verifies with my existing database and sends a response to allow or deny the user access. My current password system uses md5 hashing. Any help on how to use this with my code would be great. Here’s what I have on my server:

    < ?php if($_SERVER['REQUEST_METHOD']=='POST'){ //Getting values $username = $_POST['username']; $password = $_POST['password']; $password = md5($password); $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'"; require_once('dbConnect.php'); $result = mysqli_query($con,$sql); $check = mysqli_fetch_array($result); if(isset($check)){ echo "success"; }else{ echo "failure"; } mysqli_close($con); } ?>

    • commenter

      Use it like this.

      $username = $_POST['username'];
      $password = $_POST['password'];
      // require the class here before you create object for it.
      wp_hasher = new PasswordHash(16, true); // 16 digit hashing password
      $pass = $wp_hasher->HashPassword( trim( $password ) ); //$password = md5($password); is ur old code.

      There after you can save it on database.

      • commenter

        What do I save the passwordhash text you have here as?

        • commenter

          PasswordHash is a class, you are creating an object for it and creating your Encrypted password with help of that object by the user entered input.
          `$pass` will keep your final encrypted password. You can save it on your database.

      • commenter

        Okay. I have the top file you have saved as such: http://pastebin.com/4T8U6w75

        • commenter

          You can validate it like the below one. Which i already Gave it in my example
          $password_hashed = $user['password']; // here the password to check, it will be stored password in your database.
          $wp_hasher = new PasswordHash(16, true);
          if($wp_hasher->CheckPassword($pass, $password_hashed)) { // $pass will be newly user entered while trying to login.
          echo "Yes password is correct" ;
          } else {
          echo "Entered Password is wrong";
          }

          • commenter

            Please help. I’ve done everything I can think and it still wont work.

            HashPassword( trim( $posted[‘password’] )

            );

            $strSql = “SELECT user_pass FROM wp_users WHERE user_login = ‘$username'”;
            $result = mysql_query($strSql);
            $row = mysql_fetch_array($result);
            $password_hashed = $user[‘password’];

            if($wp_hasher->CheckPassword($pass, $password_hashed)) {
            echo “Yes password is correct” ;
            } else {
            echo “Entered Password is wrong”;
            }
            mysqli_close($con);
            }

          • commenter

            Please help. I’ve done everything I can think and it still wont work.

            HashPassword( trim( $posted[‘password’] )

            );

            $strSql = “SELECT user_pass FROM wp_users WHERE user_login = ‘$username'”;
            $result = mysql_query($strSql);
            $row = mysql_fetch_array($result);
            $password_hashed = $user[‘password’];

            if($wp_hasher->CheckPassword($pass, $password_hashed)) {
            echo “Yes password is correct” ;
            } else {
            echo “Entered Password is wrong”;
            }
            mysqli_close($con);
            }

          • commenter

            Sorry. It wouldnt let me post entire code: http://pastebin.com/EnAVtm3f

          • commenter

            This
            $pass = $wp_hasher->HashPassword( trim( $posted['password']) );
            Should be like this
            $pass = $wp_hasher->HashPassword( trim( $password ));

Comment Below

Your email address will not be published. Required fields are marked *

*

Current ye@r *

Menu

Sidebar

Subscribe E-mail Updates

Congrats, You are Subscribed to Receive Updates.

Advertisement

Category Posts