WordPress Password Hash Generator PHP
- Article
- Comment (10)
WordPress Password Hash Generator PHP. Some of the days I used to google, what kind of mechanism used in WordPress to create a hashing password. Which really people like developer needs to get idea. sometimes, we may need to crack the secret to avoid some critical situations.
So I have found it with help of WordPress to identify the function, and the class, that they used to make passwords in hashing format. Which is Blowfish hashing alogritham.
The class is available as opensource for you, You can get the class from here.
class PasswordHash {
var $itoa64;
var $iteration_count_log2;
var $portable_hashes;
var $random_state;
function PasswordHash($iteration_count_log2, $portable_hashes){
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
}
function get_random_bytes($count){
$output = '';
if ( @is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
function encode64($input, $count){
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function gensalt_private($input){
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
function crypt_private($password, $setting){
$output = '*0';
if (substr($setting, 0, 2) == $output)
$output = '*1';
$id = substr($setting, 0, 3);
# We use "$P$", phpBB3 uses "$H$" for the same thing
if ($id != '$P$' && $id != '$H$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
return $output;
if (PHP_VERSION >= '5') {
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
} else {
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
} while (--$count);
}
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
function gensalt_extended($input){
$count_log2 = min($this->iteration_count_log2 + 8, 24);
# This should be odd to not reveal weak DES keys, and the
# maximum valid value is (2**24 - 1) which is odd anyway.
$count = (1 << $count_log2) - 1;
$output = '_';
$output .= $this->itoa64[$count & 0x3f];
$output .= $this->itoa64[($count >> 6) & 0x3f];
$output .= $this->itoa64[($count >> 12) & 0x3f];
$output .= $this->itoa64[($count >> 18) & 0x3f];
$output .= $this->encode64($input, 3);
return $output;
}
function gensalt_blowfish($input){
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
function HashPassword($password){
if ( strlen( $password ) > 4096 ) {
return '*';
}
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
return '*';
}
function CheckPassword($password, $stored_hash){
if ( strlen( $password ) > 4096 ) {
return false;
}
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash === $stored_hash;
}
}
Password Creation :
You can simple Require this file, where you need to create and check passwords. Than you can work like this.
<?php $wp_hasher = new PasswordHash(16, true); // 16 digit hashing password $pass = $wp_hasher->HashPassword( trim( $posted['password'] ) ); //$posted['password'] is your password
This is how, you can get the new password for your string which is similar like WordPress. Than you can store it in the database. Now, Let’s see how to check it.
Check And Verify:
Let’s see an example, then you can understand it easily.
$password_hashed = $user['password']; // here the password to check
$wp_hasher = new PasswordHash(16, true);
if($wp_hasher->CheckPassword($pass, $password_hashed)) {
echo "Yes password is correct" ;
} else {
echo "Entered Password is wrong";
}
That’s it. Enjoy this happy coding, if you have clarifications post your comment below. Let me help you.
Hi, very curious to see if this will do what I think. Im trying to get my android volley login system to read the username and password from my wordpress database. My login screen sends the user’s username and password to a php script on my server which verifies with my existing database and sends a response to allow or deny the user access. My current password system uses md5 hashing. Any help on how to use this with my code would be great. Here’s what I have on my server:
Use it like this.
$username = $_POST['username'];
$password = $_POST['password'];
// require the class here before you create object for it.
wp_hasher = new PasswordHash(16, true); // 16 digit hashing password
$pass = $wp_hasher->HashPassword( trim( $password ) ); //$password = md5($password); is ur old code.
There after you can save it on database.
What do I save the passwordhash text you have here as?
PasswordHash is a class, you are creating an object for it and creating your Encrypted password with help of that object by the user entered input.
`$pass` will keep your final encrypted password. You can save it on your database.
Okay. I have the top file you have saved as such: http://pastebin.com/4T8U6w75
You can validate it like the below one. Which i already Gave it in my example
$password_hashed = $user['password']; // here the password to check, it will be stored password in your database.$wp_hasher = new PasswordHash(16, true);
if($wp_hasher->CheckPassword($pass, $password_hashed)) { // $pass will be newly user entered while trying to login.
echo "Yes password is correct" ;
} else {
echo "Entered Password is wrong";
}
Please help. I’ve done everything I can think and it still wont work.
HashPassword( trim( $posted[‘password’] )
);
$strSql = “SELECT user_pass FROM wp_users WHERE user_login = ‘$username'”;
$result = mysql_query($strSql);
$row = mysql_fetch_array($result);
$password_hashed = $user[‘password’];
if($wp_hasher->CheckPassword($pass, $password_hashed)) {
echo “Yes password is correct” ;
} else {
echo “Entered Password is wrong”;
}
mysqli_close($con);
}
Please help. I’ve done everything I can think and it still wont work.
HashPassword( trim( $posted[‘password’] )
);
$strSql = “SELECT user_pass FROM wp_users WHERE user_login = ‘$username'”;
$result = mysql_query($strSql);
$row = mysql_fetch_array($result);
$password_hashed = $user[‘password’];
if($wp_hasher->CheckPassword($pass, $password_hashed)) {
echo “Yes password is correct” ;
} else {
echo “Entered Password is wrong”;
}
mysqli_close($con);
}
Sorry. It wouldnt let me post entire code: http://pastebin.com/EnAVtm3f
This
$pass = $wp_hasher->HashPassword( trim( $posted['password']) );Should be like this
$pass = $wp_hasher->HashPassword( trim( $password ));