Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How vanilla encodes passwords?

edited May 2012 in Vanilla 2.0 - 2.8

How vanilla encodes passwords?

I saw it was in md5, but not sure, can you clarify me?

Best Answer

  • Answer ✓

    I have to use it in another script that is not vanilla, so it was like this:

    $Vanilla_PasswordHash = new PasswordHash();
    
    $a =  $Vanilla_PasswordHash->HashPassword('123456');
    echo $Vanilla_PasswordHash->CheckPassword('123456', $a, 'Vanilla');
    echo $a;
    

    Now all I have to change the subdomain HashMethod vanilla to the site, a random string or something.

    Although return different strings, it works.

    Solved, Thanks! ;)

    *How do i thank on this board? ¿Karma or something?

Answers

  • aeryaery Gtricks Forum in 2.2 :) ✭✭✭

    passeords are in md5 hash

    There was an error rendering this rich post.

  • sort of.

    you can use different ways. the default is phppass

    which is simular to md5 and uses it in it algorithm

    http://www.openwall.com/phpass/

    grep is your friend.

  • x00x00 MVP
    edited May 2012

    aery said:
    passeords are in md5 hash

    actually not quite

    grep is your friend.

  • For example, for 123456 it save in User (table), Password = $P$BrCcPc.mOwmL.7dO6EExggauzt0YqG/

    For 111111 I need get the hash.

    I only need encode.

    I'm seeing PasswordHash class, I'll look phpass

  •  $PasswordHash = new Gdn_PasswordHash();
     $PasswordHashed = $PasswordHash->HashPassword($Password);
    

    grep is your friend.

  • I saw that, but generates a random string is not always the same pass.

    I need it when creating a new site, insert the password of the administrator.

    I think the HashMethod row has something to do.

  • $PasswordHash->CheckPassword('123456', '$P$BrCcPc.mOwmL.7dO6EExggauzt0YqG/', 'Vanilla');
    

    returns true.

    I'm still seeing this class.

  • Yes you need both the stored hash and the suposed password to check. This is an extra layer of security.

    They are not directly compared, in effect phppass uses crypt_private to retrieve the actual hash that can be compared to the storedhash

    Have a look at CheckPassword

    grep is your friend.

  • HashMethod row determines whether you are goign to use phppass in the first place.

    grep is your friend.

  • so the method is if there is already a record you need both the stored has hash the password to create a hash to compare to the stored hash. Make sense?

    grep is your friend.

  • so the user either exist, or you create them.

    grep is your friend.

  • Answer ✓

    I have to use it in another script that is not vanilla, so it was like this:

    $Vanilla_PasswordHash = new PasswordHash();
    
    $a =  $Vanilla_PasswordHash->HashPassword('123456');
    echo $Vanilla_PasswordHash->CheckPassword('123456', $a, 'Vanilla');
    echo $a;
    

    Now all I have to change the subdomain HashMethod vanilla to the site, a random string or something.

    Although return different strings, it works.

    Solved, Thanks! ;)

    *How do i thank on this board? ¿Karma or something?

  • You must also add $portable_hashes = 'vanilla'.

  • I leave it written for anyone else who needed it in the future ...

  • luisgzafra said:

    *How do i thank on this board? ¿Karma or something?>

    You click like on x00's comments.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.