Joomla 3.2.1 password encryption

Question

When the user register on the site , and I look in the database joomla_users in the password table, there are password stored in the following formats:

• $P$Do8QrURFT1r0NlWf0X/grdF/aMqwqK/

• $P$DH38Lch9z508gJiop3A6u0whTity390

• ........

But not in the form as described in the documentation (MD5 + ":" + SALT):

• 1802ebc64051d5b4f4d1b408babb5020:0PHJDbnsyX05YpKbAuLYnw2VCzFMW2VK

I need to have this clarified for me, because I'm using outside script that checks for user credentials to check for password match.

In my PHP script I have code that seperates SALT from password from database:

$parts   = explode( ':', $password_database );
$crypt   = $parts[0];
$salt   = $parts[1];

But I can't do that if there is no dobule knot (:)

Answer 1

Try this,

The following piece of code is creating Joomla standard password (Older Version 1.5,1.7 etc).

 jimport('joomla.user.helper');
 $salt = JUserHelper::genRandomPassword(32);
 $crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
 $password = $crypt.':'.$salt;

Joomla 3.2+ introduced PHP's password algorithm bcrypt but it required a minimum PHP 5.3+ If you plan to use bcrypt make sure your server PHP version is capable for this, read more here.

The other Version of Joomla Using the following methods (Joomla 3.x)

 jimport('joomla.user.helper');
 $yourpass = JUserHelper::hashPassword($password_choose);

The older algorithm also works fine in latest version too , only difference is older version creates a 65 character password and new one creates 34 character string. always go with updated version

Also if you are using external script should include Joomla framework like below. This should at very top of your external php file

define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

Also you mentioned you have to check users credential then no need to check password format and all thing just use below codes after framework loads.

   $credentials['username'] = $data['username']; //user entered name
   $credentials['password'] = $data['password']; //users entered password
   $app = JFactory::getApplication();
   $error = $app->login($credentials, $options);
   if (!JError::isError($error)) {
    // login success
    }
  else{
    //Failed attempt
   }

hope it helps..

Answer 2

Joomla's default user class no longer uses salted MD5 to hash the password. The bind function of the JUser class now calls JUserHelper::hashPassword($array['password']) to encrypt the password.

That function is currently this:

public static function hashPassword($password)
    {
            // Use PHPass's portable hashes with a cost of 10.
            $phpass = new PasswordHash(10, true);

            return $phpass->HashPassword($password);
    }

And that means that it now relies on PHPass which you can read more about here: http://www.openwall.com/phpass/. Based on reading just the intro of this site, I'm guessing that the encryption is now bcrypt instead of MD5, but Joomla may have overriden the default encryption.

Answer 3

With David Fritsch answer I get to do a encrypted password as Joomla does:

<?php
    define( '_JEXEC', 1 );
    define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
    define( 'DS', DIRECTORY_SEPARATOR );

    require_once( JPATH_BASE .DS.'includes'.DS.'defines.php' );
    require_once( JPATH_BASE .DS.'includes'.DS.'framework.php' );

    $mainframe =& JFactory::getApplication('site');
    $mainframe->initialise();

    jimport('joomla.user.helper');
    $password = "test";     
    echo "<strong>Password: </strong>" . JUserHelper::hashPassword($password);
?>

Note that you have to store the file in joomla root directory, or change JPATH_BASE.