password hasing

  • Resolved colmanbyrne

    (@colmanbyrne)


    6 years, 4 months ago

    Hi for the password hashing section in setting

    how can I determein if the salt is before or after

    external database is using
    statement like

    $newpassword = crypt(md5($password), $pw_salt);

    so a single salt for all passwords , but before or after ?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author tbenyon

    (@tbenyon)

    6 years, 4 months ago

    Hey @colmanbyrne,

    The statement you have sent is a custom hashing solution and thus not supported by the plugin as a standard setting.

    This is because as well as using the crypt hashing method, it is also relying on an md5 hash.

    For this reason the only way for you to solve this is by using the “exlog_hook_filter_authenticate_hash” hook. You can find documentation for its use in the FAQ.

    To help you out however, this is something like what you would want to add to your functions.php file:

    
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
    $pw_salt = 'someSaltUsedOnExternalDatabase'
    $generatedHashFromEnteredPassword = crypt(md5($password), $pw_salt)
    return $generatedHashFromEnteredPassword == $hashFromDatabase;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

    I have not tested this so treat this like pseudo code to help you build a solution.

    I should also point out that the hashing system your external database is using is not best practice. I would recommend reading the SECURITY NOTES -> Hashing section of the main plugin page for guidance on why this is not desirable.

    Let me know if you have any questions, and let me know how you get on,

    Thanks,

    Tom 🙂

    • This reply was modified 6 years, 4 months ago by tbenyon.
    Thread Starter colmanbyrne

    (@colmanbyrne)

    6 years, 4 months ago

    Hi Tom

    That’s great I will use the hook ,
    one question though , do I need to set the Hashing type to none or anything else to use the hook and avoid any conflicts ? or the this setting ignores by the hook

    Colman

    Plugin Author tbenyon

    (@tbenyon)

    6 years, 4 months ago

    If the hook is in place, the rest of the settings for password hashing are ignored.

    You’ve made me realise however this is not documented or very clear. I may add a notice to the admin area in the future to indicate if the custom hook has been found.

    I’ll mark this thread as resolved for now but if you have any further issue don’t hesitate to get back in contact. 🙂

    If you like the plugin I’d be very grateful for a review.

    Thanks Colman,

    Tom 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘password hasing’ is closed to new replies.