php - Joomla 3.2.1 password encryption

Question

When the user register on the site , and I look in the database joomla_users in the password table, there are password stored in the following formats:

• $P$Do8QrURFT1r0NlWf0X/grdF/aMqwqK/

• $P$DH38Lch9z508gJiop3A6u0whTity390

• ........

But not in the form as described in the documentation (MD5 + ":" + SALT):

• 1802ebc64051d5b4f4d1b408babb5020:0PHJDbnsyX05YpKbAuLYnw2VCzFMW2VK

I need to have this clarified for me, because I'm using outside script that checks for user credentials to check for password match.

In my PHP script I have code that seperates SALT from password from database:

$parts   = explode( ':', $password_database );
$crypt   = $parts[0];
$salt   = $parts[1];

But I can't do that if there is no dobule knot (:)

Answer 1

Try this,

The following piece of code is creating Joomla standard password (Older Version 1.5,1.7 etc).

 jimport('joomla.user.helper');
 $salt = JUserHelper::genRandomPassword(32);
 $crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
 $password = $crypt.':'.$salt;

Joomla 3.2+ introduced PHP's password algorithm bcrypt but it required a minimum PHP 5.3+ If you plan to use bcrypt make sure your server PHP version is capable for this, read more here.

The other Version of Joomla Using the following methods (Joomla 3.x)

 jimport('joomla.user.helper');
 $yourpass = JUserHelper::hashPassword($password_choose);

The older algorithm also works fine in latest version too , only difference is older version creates a 65 character password and new one creates 34 character string. always go with updated version

Also if you are using external script should include Joomla framework like below. This should at very top of your external php file

define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

Also you mentioned you have to check users credential then no need to check password format and all thing just use below codes after framework loads.

   $credentials['username'] = $data['username']; //user entered name
   $credentials['password'] = $data['password']; //users entered password
   $app = JFactory::getApplication();
   $error = $app->login($credentials, $options);
   if (!JError::isError($error)) {
    // login success
    }
  else{
    //Failed attempt
   }

hope it helps..