I need to access the joomla user table jos_users
for login checking from external php script [codeignitor].
joomla storing password like this
4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT
Looks like this is not the normal MD5 ,so i cannot use md5(password)
.
what is the possible way to create the password ?
Thank you.
Joomla passwords are MD5 hashed, but the passwords are salted before being hashed.
They are stored in the database as {hash}:{salt}
this salt is a random string 32 characters in length.
So to create a new password hash you would do md5($password.$salt)
EDIT
Okay so for checking a password, say a user myguy
enters the password mypassword
, you would retrieve the row from the database that has username myguy
.
In this row you’ll find a password say 4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT
.
You split up the password hash and the salt:
$hashparts = preg_split (':' , $dbpassword);
echo $hashparts[0]; //this is the hash 4e9e4bcc5752d6f939aedb42408fd3aa
echo $hashparts[1]; //this is the salt 0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT
now calculate the hash using this salt and the password myguy
entered
$userhash = md5($userpassword.$hashparts[1]); // This would be 'mypassword' and the salt used in the original hash
Now if this $userhash
and $hashparts[0]
are identical the user has entered the correct password.
Answer:
From joomla Forum, that’s what happen behind:
A. Generate a password
B. Generate a string with 32 random characters
C. Concatenate Password (Step A) and RandomString (Step B)
D. Take md5(Result of Step C)
E. store Step D Result : Step B Result
Example:
Generate a password - Let 'testing'
Generate a string of 32 random characters - 'aNs1L5PajsIscupUskaNdPenustelsPe'
Concatenate Password and random string - testingaNs1L5PajsIscupUskaNdPenustelsPe
md5(Step C Result) - 5cf56p85sf15lpyf30c3fd19819p58ly
store step d:step B - 5cf56p85sf15lpyf30c3fd19819p58ly:aNs1L5PajsIscupUskaNdPenustelsPe
You can find code in Joomla like
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword("testing", $salt);
$password = $crypt . ':' . $salt;
Or We can Say
password DB field = md5(password + salt) + ":" + salt
Where salt is random 32 char string.
thanks
Answer:
In joomla standard you can create password using the following way
jimport('joomla.user.helper');
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
$password = $crypt.':'.$salt;
you mention that you are accessing from external file(or programs) then if you have joomla installation on other side you can access it from outside the joomla structure.
using joomla default frame work like this
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
Answer:
I couldn’t use preg_split
but explode
works well.
$hashparts = explode (':' , $dbpassword);
Answer:
From the joomla source file libraries/joomla/crypt/password/simple.php there are multiple ways they get stored, and some do not have a ‘:’ character.
switch ($type)
{
case '$2a$':
case JCryptPassword::BLOWFISH:
if (JCrypt::hasStrongPasswordSupport())
{
$type = '$2y$';
}
else
{
$type = '$2a$';
}
$salt = $type . str_pad($this->cost, 2, '0', STR_PAD_LEFT) . '$' . $this->getSalt(22);
return crypt($password, $salt);
case JCryptPassword::MD5:
$salt = $this->getSalt(12);
$salt = '$1$' . $salt;
return crypt($password, $salt);
case JCryptPassword::JOOMLA:
$salt = $this->getSalt(32);
return md5($password . $salt) . ':' . $salt;
}
}
Answer:
Joomla! uses PhPass.
root/libraries/phpass/PasswordHash.php
have a look here. you will see here how the password is generating.
The $2y is the default (and preferred) prefix on bcrypt hashes.
As for code, you’ll want to look inside JUserHelper's
hashPassword
and verifyPassword
methods to see how Joomla’s working with things right now.
Some Referances –
https://github.com/joomla/joomla-cms/blob/3.4.1/libraries/joomla/user/helper.php#L296-L387
https://docs.joomla.org/API15:JUserHelper/getCryptedPassword
https://docs.joomla.org/API15:JUserHelper/getSalt
Check the links, I hope you it will helpful 🙂
Answer:
Joomla “understands” the passwords with “normal” md5.
What I’ve done in the past (to test a user’s login), was to save the original password, encrypt a new one in md5, replace it in the database, test it with the browser (and it works) and when I was done, paste the original password in the database.
Answer:
If you just use md5($password); it’ll work, try it. Joomla has a mechanism and it can work with multiple types of passwords (including, as of late, strong passwords). You don’t have to worry about the part after the colon. Just use md5($password) and it’ll definitely work.
By the way, this’ll also work on Joomla 3.x.
Answer:
<?php
$r = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
$p = 'the_password';
$s = $p . $r;
$m = md5($s);
$out = $m . ':' . $r;
echo $out;
Len 16 because bin2hex doubles the character size, since 1 byte becomes 2 bytes
Tags: phpphp