Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How vanilla encodes passwords?

luisgzafraluisgzafra New
edited May 2012 in Vanilla 2.0 - 2.8

How vanilla encodes passwords?

I saw it was in md5, but not sure, can you clarify me?

Best Answer

  • luisgzafraluisgzafra New
    Answer ✓

    I have to use it in another script that is not vanilla, so it was like this:

    $Vanilla_PasswordHash = new PasswordHash();

$a =  $Vanilla_PasswordHash->HashPassword('123456');
echo $Vanilla_PasswordHash->CheckPassword('123456', $a, 'Vanilla');
echo $a;

    Now all I have to change the subdomain HashMethod vanilla to the site, a random string or something.

    Although return different strings, it works.

    Solved, Thanks! ;)

    *How do i thank on this board? ¿Karma or something?

Answers

  • aeryaery ✭✭✭

    passeords are in md5 hash

    There was an error rendering this rich post.

  • x00x00 MVP

    sort of.

    you can use different ways. the default is phppass

    which is simular to md5 and uses it in it algorithm

    http://www.openwall.com/phpass/

    grep is your friend.

  • x00x00 MVP
    edited May 2012

    aery said:
    passeords are in md5 hash

    actually not quite

    grep is your friend.

  • luisgzafraluisgzafra New

    For example, for 123456 it save in User (table), Password = $P$BrCcPc.mOwmL.7dO6EExggauzt0YqG/

    For 111111 I need get the hash.

    I only need encode.

    I'm seeing PasswordHash class, I'll look phpass

  • x00x00 MVP 
     $PasswordHash = new Gdn_PasswordHash();
 $PasswordHashed = $PasswordHash->HashPassword($Password);

    grep is your friend.

  • luisgzafraluisgzafra New

    I saw that, but generates a random string is not always the same pass.

    I need it when creating a new site, insert the password of the administrator.

    I think the HashMethod row has something to do.

  • luisgzafraluisgzafra New 
    $PasswordHash->CheckPassword('123456', '$P$BrCcPc.mOwmL.7dO6EExggauzt0YqG/', 'Vanilla');

    returns true.

    I'm still seeing this class.

  • x00x00 MVP

    Yes you need both the stored hash and the suposed password to check. This is an extra layer of security.

    They are not directly compared, in effect phppass uses crypt_private to retrieve the actual hash that can be compared to the storedhash

    Have a look at CheckPassword

    grep is your friend.

  • x00x00 MVP

    HashMethod row determines whether you are goign to use phppass in the first place.

    grep is your friend.

  • x00x00 MVP

    so the method is if there is already a record you need both the stored has hash the password to create a hash to compare to the stored hash. Make sense?

    grep is your friend.

  • x00x00 MVP

    so the user either exist, or you create them.

    grep is your friend.

  • luisgzafraluisgzafra New
    Answer ✓

    I have to use it in another script that is not vanilla, so it was like this:

    $Vanilla_PasswordHash = new PasswordHash();

$a =  $Vanilla_PasswordHash->HashPassword('123456');
echo $Vanilla_PasswordHash->CheckPassword('123456', $a, 'Vanilla');
echo $a;

    Now all I have to change the subdomain HashMethod vanilla to the site, a random string or something.

    Although return different strings, it works.

    Solved, Thanks! ;)

    *How do i thank on this board? ¿Karma or something?

  • luisgzafraluisgzafra New

    You must also add $portable_hashes = 'vanilla'.

  • luisgzafraluisgzafra New

    I leave it written for anyone else who needed it in the future ...

  • peregrineperegrine MVP

    luisgzafra said:

    *How do i thank on this board? ¿Karma or something?>

    You click like on x00's comments.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • luisgzafraluisgzafra New

    Thanks @peregrine!

Sign In or Register to comment.