joomla password encryption

Red picture Red · May 3, 2012 · Viewed 78k times · Source

I need to access the joomla user table jos_users for login checking from external php script [codeignitor].

joomla storing password like this

4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT

Looks like this is not the normal MD5 ,so i cannot use md5(password) .

what is the possible way to create the password ?

Thank you.

Answer

klennepette picture klennepette · May 3, 2012

Joomla passwords are MD5 hashed, but the passwords are salted before being hashed. They are stored in the database as {hash}:{salt} this salt is a random string 32 characters in length.

So to create a new password hash you would do md5($password.$salt)

EDIT

Okay so for checking a password, say a user myguy enters the password mypassword, you would retrieve the row from the database that has username myguy.

In this row you'll find a password say 4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT. You split up the password hash and the salt:

$hashparts = preg_split (':' , $dbpassword);
echo $hashparts[0]; //this is the hash  4e9e4bcc5752d6f939aedb42408fd3aa
echo $hashparts[1]; //this is the salt  0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT

now calculate the hash using this salt and the password myguy entered

$userhash = md5($userpassword.$hashparts[1]); // This would be 'mypassword' and the salt used in the original hash

Now if this $userhash and $hashparts[0] are identical the user has entered the correct password.