2

I am in the process of converting a site from Wordpress to a custom CMS developed in Codeigniter. I was told that Wordpress uses PHPass to hash their passwords, so I am using the PHPass library (as outlined at this site) in an attempt to seamlessly transition the users over without them having to reset or change their passwords.

I have it working fine in my application, but it's not generating the same password hashes as Wordpress uses. I'm assuming it's related to some kind of site key, but I'm not having any luck. How can I make PHPass generate the same password hash?

Motive
  • 3,071
  • 9
  • 40
  • 63

2 Answers2

8

You won't be able to get PHPass to generate the same hash twice - it uses a random salt. That salt is stored inside the password hash.

You don't really need to generate the same hash, though - copy the old one, and use PHPass' CheckPassword($pass, $hash) to check the password. Give it the hash from the DB as $hash and the password entered as $pass, and it'll return true if they're a match.

The HashPassword() method is ONLY to be used to create a new password hash (for a new password), not to compare against an existing one.

Randy Glenn
  • 336
  • 3
  • 3
0

There are a couple of possibilities. They're either using a different hashing algorithm or they're salting their hashes or some other method of obfuscation. If Wordpress salts their hashes, then you'd have to gain access to their salt table or single salt phrase to alter their hashes -- but I doubt you'll get that. I verified that PHPass does support salting as well as other hash obfuscating methods so one of those is probably the reason why your hashes aren't coming out identical.

http://www.openwall.com/articles/PHP-Users-Passwords

thepip3r
  • 2,855
  • 6
  • 32
  • 38