You can’t decrypt them, that’s the whole point to encrypting them to begin with, else every admin could see his or her user’s passwords.
If you want to take a user entered password and compare it to that in the WP database, you simply need to encrypt the data in MD5..
// Example only - you should always check a var is set and sanitize before doing anything else with it
$password = md5( $_POST['user_pass'] );
Hope that helps… š
This is an example of password from wordpress database:
$P$BNi4kc8Klwg47LMl/JtBM9Tu6EGQR11
It doesn’t seem to be md5 encrypted, does it?
Yes, that could easily be an MD5 encrypted password.
It can be but it isn’t unfortunately. Try md5 your current wordpress password and compare it to the database record š
http://www.miraclesalad.com/webtools/md5.php
I’ve just tested an MD5 password, and it works for me..
However, something does seem to happen after i login using a newly generated password, i’d guess WordPress does something with it, i’m not sure what, but in any case, it still remains MD5 encrypted and login does work correctly.
I tried two ways both via PhpMyAdmin..
Edited a user, plonked in an MD5 string of a newly made password(taken from the result of echo md5('mypassword');, and saved..
Then logged in successfully.
Second approach, editted a user, removing the password, setting the field in phpmyadmin to MD5, typed in mypassword to the right, hit Save(Go in phpmyadmin).
Then logged in successfully.
I can repeat this over and over, MD5 is correct, and it does work.
WordPress automatically replaces the standard md5 hash with it’s own when you log in. I found the code responsible on generating encrypted password:
http://core.trac.ww.wp.xz.cn/browser/branches/3.0/wp-includes/class-phpass.php
It’s clear that it’s not a standard md5 hash!
Good find, then you should be set to go..
Hash your password in the same manner WordPress does (you’ll have to dig and play around with the class to figure how exactly to do that). I’ve not done it myself, so i can’t be any less general than that unfortunately..
Have a look at how it’s used in wp-includes/pluggable.php.
Namingly, have a look at the functions wp_check_password and wp_hash_password.
Well I tried it and as it seems everything works fine… Much easier than I thought :))
Thanks for help!
Glad to hear it’s all working for you..
And i’m happy to help.. š
Hi guys, i am on the same roadblock at the moment.
I can’t figure out why the passwords does not match ecrypted with md5 as well as wp_hash_password();
This is my code
<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-config.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-load.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/wp-includes/wp-db.php');
global $userdata;
global $wpdb;
//get the posted values
$posted_username = $_POST['username'];
$posted_password = $_POST['password'];
$user_name = htmlspecialchars($posted_username,ENT_QUOTES);
$pass_word = wp_hash_password($posted_password);
$pass_md5 = md5($posted_password);
$pass = $pass_word;
$userinfo = get_userdatabylogin($user_name);
if ( $pass == $userinfo->user_pass){
echo "yes";
} else
echo "no<br />:";
echo $pass;
echo '<br />:';
echo $userinfo->user_pass;
echo '<br />:';
echo $userinfo->ID;
echo '<br />:';
echo $userinfo->user_login;
echo '<br />:';
echo $pass_md5;
echo '<br />:';
echo wp_hash_password('mypassword');
?>
it prints out the following:
no
:$P$BJhGR7TPd771cFb6UFVSknys.MDjBw.
:$P$B7g6c9b3YavlDCT41/1wNWxUqN5E4q1
:1
:myusername
:8684854737c96012f1b6640fa1edf69d
:$P$B0T9SE3Cnd3NM2iEPFJ.SxwqSCBFR8/
Another strange issue is that the passwords that come witch come from the formpost change on every refresh.
So the following time i tryed this script it is printing out this.
no
:$P$Bhjs6fejE8OOb2P.jEFa3VbD0BLpb40
:$P$B7g6c9b3YavlDCT41/1wNWxUqN5E4q1
:1
:myusername
:8684854737c96012f1b6640fa1edf69d
:$P$BtWdkKKaw5DyXQmZ12CkX5ljyvZDv80
You have a clue what is wrong? it is giving me kopfsmertse for a while now.
The function to use when programmatically setting the password is wp_hash_password. I ran into a problem similar to mediabros – I’d update the user_pass column in the wp_users table to a wp_hash_password hashed string, but login with the new password was still just not working.
The trick was to make a call to wp_cache_delete($ID, 'users') after setting the password programmatically, clearing the WordPress cache (which apparently stores hashed passwords along with other user details).
Of course, this only applies if you have enabled the WordPress object cache using define('ENABLE_CACHE', true) in wp-config.php
