How do you import members from another system to Wordpress and update passwords so they'll work?

Question

Our current system ( not using Wordpress ) has 1000s of users that we need to port over to Wordpress. The problem we're running into is that the passwords can't stay the same.

In our current system the passwords are saved with:

md5( md5( $password ) . USER_SALT ); // USER_SALT is a defined constant

Not the best obviously, but not the worst...

We need to make these password hashes that we currently have work in WP as well. Is there a way we can run all new passwords through this setup first and then through WPs own hashing?

I know you can hook into the functions like:

function my_hash_password($password){
    return md5( md5( $password ) . USER_SALT );
}
add_action('wp_hash_password', 'my_hash_password' );

For some reason that's not fully working either.

Surely somebody else has already gone through this before.

Thanks.

EDIT !!!!

So far there is some confusion. I am NOT asking no un-hash the hashed password that we have. What I am saying is that with our current system the passwords look like:

Password:  password
Hash function: md5( md5( $password ) . USER_SALT );
Output: d372f9c033e9c358b111ff265e080d3a

I want to 'maybe' be able to take the hash above and feed it to the native WP password hasher so that:

d372f9c033e9c358b111ff265e080d3a

becomes...

$P$BdrwxndTzgTVHUozGpQ9TEMYd6mpTw0

after it goes through their function.

Then when a user logs in we send their plain text password back through our function and then through WPs to get a match.

////////////////////////

UPDATE !!!

///////////////////////

Trying to override the 'wp_check_password' function that is pluggable in WP, but for some reason it doesn't seem to be working.

function my_check_password($password, $hash, $user_id = '') {
    global $wp_hasher;
    if ( $hash == md5( md5( $password ) . USER_SALT ) ){
        if ( $user_id ) {
        $check = true;
        wp_set_password($password, $user_id);
        $hash = wp_hash_password($password);
      }
      return apply_filters( 'check_password', $check, $password, $hash, $user_id );
    }

    // If the hash is still md5...
    elseif ( strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
        if ( $check && $user_id ) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }
        return apply_filters( 'check_password', $check, $password, $hash, $user_id );
    }

    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if ( empty($wp_hasher) ) {
        require_once( ABSPATH . WPINC . '/class-phpass.php');
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, true);
    }

    $check = $wp_hasher->CheckPassword($password, $hash);

    /** This filter is documented in wp-includes/pluggable.php */
    return apply_filters( 'check_password', $check, $password, $hash, $user_id );
}
add_action('wp_check_password', 'my_check_password' );

Anybody have any ideas?

Answer 1

I didn't test this but in inc/wp-phpass.php in wordpress directory

function crypt_private($password, $setting)
{
    $output = '*0';
    if (substr($setting, 0, 2) == $output)
        $output = '*1';

    $id = substr($setting, 0, 3);
    # We use "$P$", phpBB3 uses "$H$" for the same thing
    if ($id != '$P$' && $id != '$H$')
        return $output;

    $count_log2 = strpos($this->itoa64, $setting[3]);
    if ($count_log2 < 7 || $count_log2 > 30)
        return $output;

    $count = 1 << $count_log2;

    $salt = substr($setting, 4, 8);
    if (strlen($salt) != 8)
        return $output;

    # We're kind of forced to use MD5 here since it's the only
    # cryptographic primitive available in all versions of PHP
    # currently in use.  To implement our own low-level crypto
    # in PHP would result in much worse performance and
    # consequently in lower iteration counts and hashes that are
    # quicker to crack (by non-PHP code).
    if (PHP_VERSION >= '5') {
        $hash = md5($salt . $password, TRUE);
        do {
            $hash = md5($hash . $password, TRUE);
        } while (--$count);
    } else {
        $hash = pack('H*', md5($salt . $password));
        do {
            $hash = pack('H*', md5($hash . $password));
        } while (--$count);
    }

    $output = substr($setting, 0, 12);
    $output .= $this->encode64($hash, 16);

    return $output;
}

as you can see they do use a simple md5 for password , you can change that to your own logic , BEWARE !! you have to manually change this every-time WordPress updates this file :/ Not the best solution around but i hope this helps you