Wordpress password encryption decrypt with ColdFusion
I have a website I am building that will be a 2 piece solution. It will have a blog built with Wordpress, but the main website and store will be built with ColdFusion. We want the user to be able to log into the blog, and log into their shopping cart with the same username and password. So my question is how do I decrypt the password from the Wordpress style encryption. Also, I will have to encrypt the password to the Wordpress style if a user registers for an account in the checkout process. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347006 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
http://www.google.com/search?num=50hl=enrlz=1B3GGLL_enUS394US394q=decrypt+Wordpress+password+oq=decrypt+Wordpress+password+aq=faqi=g1g-b2g-bm1aql=gs_sm=egs_upl=1206l6426l0l7484l3l3l0l0l0l0l134l298l1.2l3l0 That should get you started. HTH G! On Thu, Aug 25, 2011 at 12:56 PM, Joel Black j...@blackbeardesign.comwrote: decrypt the password from the Wordpress -- Gerald Guido http://www.myinternetisbroken.com -- We all shine on. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347007 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
Not really possible - it's not encrypted, it's an MD5 hash. You'll find plenty of links on how to *reset* the password (as the generous Google URL copy-and-paster provided), but that's not what you're asking for. There are ways to crack a password, if you have a large enough MD5 hash database, but that's not a good approach. Your better approach is to convert the Wordpress to use a single sign on solution, such as oAuth. There are a number of WordPress plugins for this. Billy Cravens bdcrav...@gmail.com On Aug 25, 2011, at 11:56 AM, Joel Black wrote: I have a website I am building that will be a 2 piece solution. It will have a blog built with Wordpress, but the main website and store will be built with ColdFusion. We want the user to be able to log into the blog, and log into their shopping cart with the same username and password. So my question is how do I decrypt the password from the Wordpress style encryption. Also, I will have to encrypt the password to the Wordpress style if a user registers for an account in the checkout process. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347008 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
Billy, thank you for that. Instead of trying to make 1 use the others system, try and make them both use a 3rd system. Im going to look into that. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347009 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
On Thu, Aug 25, 2011 at 1:07 PM, Billy Cravens bdcrav...@gmail.com wrote:
Not really possible - it's not encrypted, it's an MD5 hash.
I odn't know if WordPress uses a hash, but if it does - you can absolutely
authenticate against that using ColdFusion's Hash() function.
hashedwordpresspassword = readWordPressPasswordFromDisc();
if(hash(form.password) eq hashedwordpresspassword) {
return good login;
} else {
return bad login;
}
oAuth would work too, but will be much much more work.
Much.
-Cameron
--
Cameron Childress
--
p: 678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347010
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
Didn't think about that - you'd have to specify the algorithm:
hashedPw = hash(form.password, 'MD5')
When I get a chance, I'll test it against my Wordpress install.
Billy Cravens
bdcrav...@gmail.com
On Aug 25, 2011, at 12:35 PM, Cameron Childress wrote:
On Thu, Aug 25, 2011 at 1:07 PM, Billy Cravens bdcrav...@gmail.com wrote:
Not really possible - it's not encrypted, it's an MD5 hash.
I odn't know if WordPress uses a hash, but if it does - you can absolutely
authenticate against that using ColdFusion's Hash() function.
hashedwordpresspassword = readWordPressPasswordFromDisc();
if(hash(form.password) eq hashedwordpresspassword) {
return good login;
} else {
return bad login;
}
oAuth would work too, but will be much much more work.
Much.
-Cameron
--
Cameron Childress
--
p: 678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347015
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
On Thu, Aug 25, 2011 at 3:00 PM, Billy Cravens bdcrav...@gmail.com wrote: Didn't think about that - you'd have to specify the algorithm: hashedPw = hash(form.password, 'MD5') Nope. MD5 is the default. hash(form.password) will work just fine. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347018 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
Look in your wordpress config file and u will find the key. On 25 Aug 2011 17:57, Joel Black j...@blackbeardesign.com wrote: I have a website I am building that will be a 2 piece solution. It will have a blog built with Wordpress, but the main website and store will be built with ColdFusion. We want the user to be able to log into the blog, and log into their shopping cart with the same username and password. So my question is how do I decrypt the password from the Wordpress style encryption. Also, I will have to encrypt the password to the Wordpress style if a user registers for an account in the checkout process. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347019 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Wordpress password encryption decrypt with ColdFusion
Yeah, I only quickly glanced at the docs (http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c52.html) - it lists CFMX_COMPAT as the default, but that's the same as MD5. Billy Cravens bdcrav...@gmail.com On Aug 25, 2011, at 4:07 PM, Cameron Childress wrote: On Thu, Aug 25, 2011 at 3:00 PM, Billy Cravens bdcrav...@gmail.com wrote: Didn't think about that - you'd have to specify the algorithm: hashedPw = hash(form.password, 'MD5') Nope. MD5 is the default. hash(form.password) will work just fine. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347020 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Password Encryption
This may seem trivial: We have a site with about 300,000 user accounts and are becoming concerned about security and the possibility of account getting highjacked. One item on my checklist is to replace clear text passwords in the database with encoded ones. My thoughts were to create a hash of each user's password in CF and comparing logins against that. First off, I don't really know a lot about what CF does in terms of producing a hash, which means I am not clear on whether or not this is the best route to take. I would like to know if there are any best practices around password encryption for user accounts stored in a database. Thanks, M [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Password Encryption
We just had a thread on this a few days ago, didn't we?Or was it one of those that forked and went in this direction?The subject was best practices w/passwords, or storing them or something like that. Anyway, hashing isn't the be-all and end-all.Its a real good start, but you can do better.Check this out: http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/ CF produces a one-way md5 hash with the hash() function. The AccessMonger system presently hashes passwords.Literally right now I'm working on a revision that will salt them as well.It should be available on the DevEx by this evening. There is more you can do, like run the pwd thru a filter to ensure there are numeric values in the word, then strip out the numeric values and run the surviving chars thru a dictionary filter. -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password Encryption
We know that unlike MS Access, SQL Server doesn't have a password type field so it is necessary to encrypt it manually. I wrote a tutorial for the excellent EasyCFM site and it can be found here: http://tutorial113.easycfm.com/ It works well - but don't lose the key because a locksmith will be unable to help you. Peter Tilbrook ColdFusion Applications Developer ColdGen Internet Solutions Manager, ACT and Region ColdFusion Users Group - http://www.actcfug.com 4/73 Tharwa Road Queanbeyan, NSW, 2620 AUSTRALIA Telephone: +61-2-6284-2727 Mobile: +61-0439-401-823 E-mail: [EMAIL PROTECTED] \¯\/¯/ |¯|)¯) /¯/\¯\ \¯\/¯/ /_/\_\ |_|)_) \_\/_/ /_/\_\ RULES [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Password encryption
Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
You could hash() the password on the way in, stops in being stored in clear text. Jb. -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 11:01 To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid =29317forumid=4 Just yesterday. -- -dc[ cf5, ora8.1.7, iis5 ] -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 11:01 To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
Depends on your security requirements.I do a one-way hash when the password is created, and email Users temporary passwords when they forget theirs.No one can look-up a password, not even the DBA. -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 5:01 AM To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: best password encryption method
when logging in, you hash the entered password, then do a select on the username, and the hashed password - if you get a record back, they are authenticated. Doing it this way avoids ever having to decrypt a password. Only catch is if you offer a system that can email the password to a user - now you need to decrypt the password, which hashing does not support. I started hashing passwords recently. For 'lost passwords': - User enters email address. - If there's a match with a user account, that account is flagged and site admin(s) are automatically emailed notification that someone's waiting. - Site admin logs in, and either clicks to generate new random password for user or enters one manually (obviously the former is better so that no one ever sees anyone else's password). - This is mailed off to user. - When a user first logs in, I have a 'change password if you want' screen - this is flagged to come up again if their password is changed as above. I like the way this system allows users to put their own usual, secure passwords into your DB secure in the knowledge that even sysadmins can't see them. One of those things you take for granted on many websites until you have to code it yourself :) - Gyrus - [EMAIL PROTECTED] work: http://www.tengai.co.uk play: http://www.norlonto.net - PGP key available __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: best password encryption method
I'd say the best is to not even use encryption, but a hash (message digest) instead. Hash is sometimes called encryption, but it can't be decrypted. A hash (it's available as a CF function) is a one-way mathematical function. There is no decryption; only brute-force attack can tell you what a hashed value is. But the hash is predictable, it always gives the same output for the same input. So, hash the user's password and store THAT in the database. Then, when the user wants to login again, first hash the password the user's entered, then compare that with the hashed password stored in the database. Chris Norloff -- Original Message -- from: Mak Wing Lok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Wed, 3 Apr 2002 10:54:02 +0800 anyone can suggest what is the best method to encrypt password that stored in the database? --- Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. --- __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
best password encryption method
anyone can suggest what is the best method to encrypt password that stored in the database? --- Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. --- __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: best password encryption method
My suggestion would be to use HASH (one-way encryption). Unless you have a specific reason for needing to decrypt passwords. anyone can suggest what is the best method to encrypt password that stored in the database? --- Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. --- __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: best password encryption method
I agree - this is the most secure. when logging in, you hash the entered password, then do a select on the username, and the hashed password - if you get a record back, they are authenticated. Doing it this way avoids ever having to decrypt a password. Only catch is if you offer a system that can email the password to a user - now you need to decrypt the password, which hashing does not support. My 2 cents worth. Shawn Grover -Original Message- From: Tony Schreiber [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 9:13 PM To: CF-Talk Subject: Re: best password encryption method My suggestion would be to use HASH (one-way encryption). Unless you have a specific reason for needing to decrypt passwords. anyone can suggest what is the best method to encrypt password that stored in the database? -- - Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. -- - __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
