I've just built a new Wordpress website and I'm trying to import my members from a previous website to the new one. The import was successful, except now all logins fail. My old website used SHA1 hash to encrypt passwords, whereas Wordpress uses MD5. Is it possible to convert all my SHA1 passwords to MD5 and keep the same passwords?
When the website goes live I want all my previous members to be able to login with the same passwords as before (seamless as possible).
You can't convert sha1 pass to md5. Moreover wordpress use a salt to create it's hash.
You have 2 solutions:
The easy one: send a mailing to all users asking them for changing their password
The hard one: change wordpress auth mecanism.
Related
my friend created his platform using laravel, and he encrypted the users password using laravel Hash. I never worked with laravel. I'm building a simple Android application to list all the users from his website, using PHP and Java, and i would like to decrypt the passwords for the login.
I usually use md5:
$password = md5($_GET['password']);
But he used a different hash. My password appears encrypted like this:
Q5joXS5QBA0xdV2Ed2c80e12ac10766d48ef5d8a916e445064091725156d7776958a3937b5cbe79
Thanks.
Some small research seems to show that they are hashed using Bcrypt. This is different to encrypting because it is one way. So to check if the two passwords match, you will need to encrypt the user input with Bcrypt and then check if the two match.
http://laravel.com/docs/4.2/security - Info on BCrypt.
You could use this to check if your passwords match up.
http://www.bcrypt-generator.com/
EDIT: I would advise against using md5 encryption as it is not very secure and it can "decrypted" by brute force.
Example: http://www.hashkiller.co.uk/md5-decrypter.aspx
My client gave me a bunch of databases with wordpress generated passwords. Now he wants me to make a login system, but not with wordpress (I must use those wp-generated passwords). Is there a way to make use of those passwords?
Thanks!
IF you know what algorythm was used to encrypt passwords in your Wordpress database, you can easily write your own function for comparing passwords for your login system using the same HASH.
Here is some more info on WP_HASH: http://codex.wordpress.org/Function_Reference/wp_hash_password
EDIT: Very good article about Wordpress Password Hashes: http://resources.infosecinstitute.com/wordpress-password-hashes/
We have a Wordpress site which we are going to gradually rebuild using the cakePHP framework. We will replace different parts of the Wordpress site incrementally, so we need to implement some sort of single sign on to allow authorization across both frameworks during the time while both frameworks are running side by side.
We have a pretty good strategy for how to do this. In short, we will duplicate all user rows in two different tables: one table for Wordpress (wp_users) and a different table for Cake (users). [More details outlined here (in case you're interested).]
This means when we create a user in Wordpress or Cake, we create the same user in the other table as well. This is "mostly harmless"...
We are struggling with the different password hashing strategies between Wordpress and Cake. In order to save the same user password in both tables, we need to figure out how to hash it so that each respective framework can check it.
Wordpress uses a pretty advanced hashing algorithm: PHPass. Cake (by default) seems to offer a choice of more traditional algorithms: SHA1, md5, blowfish... with optional salting.We're stuck on the fact that Wordpress generates/emails a default password to new users and then immediately saves a hashed version in the DB. This hashed version of the password is pretty useless to cake, unless we can figure out how to replicate all of the Wordpress authorization protocols (which seems somewhat daunting for new Cake users).
Is there an elegant solution to this problem?
I would suggest to keep user management centralised in either Wordpress or CakePHP until the migration to CakePHP is completed.
As of CakePHP 2.3, bcrypt/blowfish is officially supported for hashing passwords;
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords
However, if you already have your Single-Sign on working, why not leave the password syncing for the time being? Once migration to CakePHP is complete, consider the following options;
Send an email to all users containing a unique link to reset their password; resetting the password will actually create a hashed password in CakePHP and enable the new account. The unique links should be invalidated after that (also make sure that the link will expire after a certain period anyway)
Because both CakePHP and PHPass use bcrypt/blowfish, you may be able to copy the hashed passwords to CakePHP when migration is completed. However, you will need to determin 'how' PHPass passwords and salts are stored (separate fields? single field with a delimiter?). You may have to write your own Authorize Object that will pick the right 'salt' from the database
I am in the process of converting a site from Wordpress to a custom CMS developed in Codeigniter. I was told that Wordpress uses PHPass to hash their passwords, so I am using the PHPass library (as outlined at this site) in an attempt to seamlessly transition the users over without them having to reset or change their passwords.
I have it working fine in my application, but it's not generating the same password hashes as Wordpress uses. I'm assuming it's related to some kind of site key, but I'm not having any luck. How can I make PHPass generate the same password hash?
You won't be able to get PHPass to generate the same hash twice - it uses a random salt. That salt is stored inside the password hash.
You don't really need to generate the same hash, though - copy the old one, and use PHPass' CheckPassword($pass, $hash) to check the password. Give it the hash from the DB as $hash and the password entered as $pass, and it'll return true if they're a match.
The HashPassword() method is ONLY to be used to create a new password hash (for a new password), not to compare against an existing one.
There are a couple of possibilities. They're either using a different hashing algorithm or they're salting their hashes or some other method of obfuscation. If Wordpress salts their hashes, then you'd have to gain access to their salt table or single salt phrase to alter their hashes -- but I doubt you'll get that. I verified that PHPass does support salting as well as other hash obfuscating methods so one of those is probably the reason why your hashes aren't coming out identical.
http://www.openwall.com/articles/PHP-Users-Passwords
I need to synchronize three of them but I have already 18k Asp.Net Members. (Offline synchronization)
So how can I convert default "Password Hashing" of Wordpress and Drupal to Asp.Net Membership's (SHA1 with Salt) ?
I don't know if you can. MD5 and SHA1 are uni-directional algorithms. This is why they are used. They provide security for the user passwords. So you will not be able to revert the hash back to the passwords. Nor can you convert from MD5 to SHA1 directly.
In this scenario I think you are stuck with resetting the Drupal and Wordpress user passwords when you merge. (See edits for alternate solution.)
EDIT: This post had a interesting idea / solution. Write some custom code to generate the SHA1 passwords upon your users first logging in. Collect the SHA1 hashes, and use those during merge. Any users you don't get, force them to do a password reset.