Joomla 3.3.1 bcrypt inconsistent?

Question

I am updating my login module to work with the new bcrypt scheme addet to Joomla in 3.2. Running JUserHelper::hashPassword("test") returns:

$2y$10$JlH32nPPCKtqqjuw.2p1X.0orqqSXn28eClz5Z3rDozW.j1KASN/e

But when the password is generated from the Joomla backend

$2y$10$0vJdqZDtIddQAAp2yBT7KOoFJ3BLUHCt3LS8XiZlE3dZftYHORJS2

is stored in the database.

I have looked for a cupple of days after something I might have missed (salt?) but I am not sure how Joomla is handling it

I have read and tryed the sugestions from Joomla 3.2.1 password encryption.

Mark Baker · Accepted Answer · 2014-07-02T18:55:08.917

3

Each use of hashPassword() generates a password with a different salt, so the resulting values will always be different, even when the same password is used..... that's deliberate to make it more difficult for attackers.

And that's why you have a verifyPassword() method, to check the validity of the entered password

edited Jul 02 '14 at 18:55

answered Jul 02 '14 at 18:53

Mark Baker

209,507
32
346
385

score 0 · Answer 2 · answered May 04 '15 at 18:11

0

I have to j3.4 works like this:

$user = JFactory::getUser();
$testingPlainPass = "test";
$verifyPass = JUserHelper::verifyPassword($testingPlainPass, $user->password, $user->id);
if($verifyPass) {echo "So gud!";}

and cool method change pass:

$user = JFactory::getUser();
$user->password = JUserHelper::hashPassword($newpassPlainText);
$user->save();

answered May 04 '15 at 18:11

lexalab

1

You might want to improve the wording of your non-code sections a bit. – Kmeixner May 04 '15 at 18:21

Joomla 3.3.1 bcrypt inconsistent?

2 Answers2