1

I have a website with woo commerce installed in it. I am currently using it as an online store. However I want to make an app version of the website so that people can sign up, sign in and purchase stuff on the app as well as the website.

So I figured I would have to encrypt the users password the same way woo commerce encrypts it so that a password sent from the app would have the same hash as one sent through the woo commerce.

The problem is I don't know how woo commerce encrypts their passwords and I tried searching it up but didn't get anything.

Although I had a hunch that WordPress and Woo commerce encrypted passwords in the same way until I made two accounts with the same passwords, one through WordPress and one through woo commerce and their hashes came out differently on my database.

If someone can help me figure out how to have two identical password hashers preferably without doing away with the woo commerce login system I already have, I would be gratefully.

Alternatively: If someone could show me where the php file that woo commerce uses to encrypt their passwords is that would be awesome too!

Thanks in advance.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
Luid
  • 33
  • 9
  • 1
    why do you need some one else to give you access to *your own* files ? –  May 04 '16 at 21:56
  • because I don't know there it is :D – Luid May 04 '16 at 21:57
  • I see how that came out wrong in the text I've changed it now – Luid May 04 '16 at 21:59
  • WordPress won't give you the same hash for the same password twice because of salting. See https://wordpress.org/support/topic/how-is-the-user-password-encrypted-wp_hash_password – Dave Ross May 04 '16 at 22:10
  • Have you checked that the password is sent *encrypted* and not just the plain entered password? (use Charles Proxy to see what is actually sent. Usually the password is sent as plain text under HTTPS for security and hashed when saved in the back-end. – zaph May 04 '16 at 22:12
  • Wait If WordPress doesn't give you the same hash for the same password twice then how does it check if the password you enter when you log in is the same one that you entered when you registered. Assuming that it hashes it before it passes it into its database. – Luid May 04 '16 at 22:32
  • @DaveRoss sorry I forgot to type your name in the above comment^. – Luid May 04 '16 at 22:42
  • @zaph I am not sure what you mean. I have access to the database on the my website, where all the passwords are stored(hashed) and I need to be able to hash my own passwords in the same way to get the same hash as woo commerce. – Luid May 04 '16 at 22:46
  • I'm removing the **encryption** tag as this is about password hashing (via phpass, it turns out), which isn't encryption. – Scott Arciszewski May 06 '16 at 19:28

2 Answers2

3

This was apparently too long for a comment...

If you look in the wp_users table after you change someone's password, their user_pass field is going to look like $P$BCaLL1.Kcf3mWvwhEvQedwyX.etREw.. The $P$ is a flag indicating that PHPass generated the password. The next 8 characters BCaLL1.K are a random salt that's unique for every user. And the remaining characters are the result of running a hashing function (bcrypt) on the password a number of times, appending the salt to the value each time it's about to run the hash again.

You might think having the salt there in plaintext is a security risk, but having a unique salt per record makes it harder to use rainbow tables to crack the password, and running the hash algorithm multiple times and salting it each time makes it computationally expensive to crack.

To answer your original question, the wp_hash_password() function is the place to start. You can see how it interacts with PHPass to generate the hash.

Dave Ross
  • 3,313
  • 1
  • 24
  • 21
1

It turns out that woo commerce and WordPress do use the same password hasher (In this case phpass).

However the password hasher does not hash the same password in the same way twice. So the only way to check if a password given in plain text is the same as a password that was encrypted is to run a special function.

In this case the special function for phpass is 'checkpassword':

$correct = 'original password here';
$hash = 'some hashed password (eg. $P$BzunkYjtVU1F6Derj3.2sNslS.4jL6/)';
$check = $t_hasher->CheckPassword($correct, $hash);

if ($check){
  echo "The passwords are the same";
}else
  echo "The passwords are not the same";

In the example it checks the plain text password against a hash to see of they are the same. More information about it can be found in the 'test.php' file present in the folder of a download of phpass.

In my case I just had to download phpass and implement the 'checkpassword' function.

Luid
  • 33
  • 9