[web2py] Re: web2py password encryption/decryption
Massimo,
Your code hash password, but it is not recognized by Joomla. :)
Anyway I have got this class in py from phpass fremwork web page. It works!
Now CUSTOMIZE CRYPT is the last effort. hash_password and check_password
shell be used.
import os
import time
import hashlib
import crypt
try:
import bcrypt
_bcrypt_hashpw = bcrypt.hashpw
except ImportError:
_bcrypt_hashpw = None
class PasswordHash:
def __init__(self, iteration_count_log2=8, portable_hashes=True,
algorithm=''):
alg = algorithm.lower()
if (alg == 'blowfish' or alg == 'bcrypt') and _bcrypt_hashpw is
None:
raise NotImplementedError('The bcrypt module is required')
self.itoa64 =
'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
if iteration_count_log2 4 or iteration_count_log2 31:
iteration_count_log2 = 8
self.iteration_count_log2 = iteration_count_log2
self.portable_hashes = portable_hashes
self.algorithm = algorithm
self.random_state = '%r%r' % (time.time(), os.getpid())
def get_random_bytes(self, count):
outp = ''
try:
outp = os.urandom(count)
except:
pass
if len(outp) count:
outp = ''
rem = count
while rem 0:
self.random_state = hashlib.md5(str(time.time())
+ self.random_state).hexdigest()
outp += hashlib.md5(self.random_state).digest()
rem -= 1
outp = outp[:count]
return outp
def encode64(self, inp, count):
outp = ''
cur = 0
while cur count:
value = ord(inp[cur])
cur += 1
outp += self.itoa64[value 0x3f]
if cur count:
value |= (ord(inp[cur]) 8)
outp += self.itoa64[(value 6) 0x3f]
if cur = count:
break
cur += 1
if cur count:
value |= (ord(inp[cur]) 16)
outp += self.itoa64[(value 12) 0x3f]
if cur = count:
break
cur += 1
outp += self.itoa64[(value 18) 0x3f]
return outp
def gensalt_private(self, inp):
outp = '$P$'
outp += self.itoa64[min([self.iteration_count_log2 + 5, 30])]
outp += self.encode64(inp, 6)
return outp
def crypt_private(self, pw, setting):
outp = '*0'
if setting.startswith(outp):
outp = '*1'
if not setting.startswith('$P$') and not setting.startswith('$H$'):
return outp
count_log2 = self.itoa64.find(setting[3])
if count_log2 7 or count_log2 30:
return outp
count = 1 count_log2
salt = setting[4:12]
if len(salt) != 8:
return outp
if not isinstance(pw, str):
pw = pw.encode('utf-8')
hx = hashlib.md5(salt + pw).digest()
while count:
hx = hashlib.md5(hx + pw).digest()
count -= 1
return setting[:12] + self.encode64(hx, 16)
def gensalt_extended(self, inp):
count_log2 = min([self.iteration_count_log2 + 8, 24])
count = (1 count_log2) - 1
outp = '_'
outp += self.itoa64[count 0x3f]
outp += self.itoa64[(count 6) 0x3f]
outp += self.itoa64[(count 12) 0x3f]
outp += self.itoa64[(count 18) 0x3f]
outp += self.encode64(inp, 3)
return outp
def gensalt_blowfish(self, inp):
itoa64 =
'./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
outp = '$2a$'
outp += chr(ord('0') + self.iteration_count_log2 / 10)
outp += chr(ord('0') + self.iteration_count_log2 % 10)
outp += '$'
cur = 0
while True:
c1 = ord(inp[cur])
cur += 1
outp += itoa64[c1 2]
c1 = (c1 0x03) 4
if cur = 16:
outp += itoa64[c1]
break
c2 = ord(inp[cur])
cur += 1
c1 |= c2 4
outp += itoa64[c1]
c1 = (c2 0x0f) 2
c2 = ord(inp[cur])
cur += 1
c1 |= c2 6
outp += itoa64[c1]
outp += itoa64[c2 0x3f]
return outp
def hash_password(self, pw):
rnd = ''
alg = self.algorithm.lower()
if (not alg or alg == 'blowfish' or alg == 'bcrypt') \
and not self.portable_hashes:
if _bcrypt_hashpw is None:
if (alg == 'blowfish' or alg == 'bcrypt'):
raise NotImplementedError('The bcrypt module is
required')
else:
rnd = self.get_random_bytes(16)
salt = self.gensalt_blowfish(rnd)
hx = _bcrypt_hashpw(pw, salt)
if len(hx) == 60:
return hx
if (not alg or alg ==
[web2py] Re: web2py password encryption/decryption
THX a lot Massimo, it is very much appreciated. I'll check this ASAP. Be
patient please.
On Monday, June 23, 2014 11:21:42 AM UTC+2, Massimo Di Pierro wrote:
Hello Farmy,
The code you posted helps and this examples the PHP algorithm:
http://pythonhosted.org/passlib/lib/passlib.hash.phpass.html
I recorded this in Python:
import random, hashlib
class PHPHash(object):
CHARS = '0123456789abcdefghijklmoqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def __init__(self,secret,rounds=10):
self.secret = secret
self.rounds = rounds
def hash(self,password, salt=None):
if salt is None:
salt = ''.join(random.choice(self.CHARS) for i in range(8))
checksum = hashlib.md5(salt+self.secret).hexdigest()
for k in range(2**self.rounds):
checksum = hashlib.md5(checksum+password).hexdigest()
hashed = '$P$%s%s%s' % (chr(self.rounds+ord('0')-5),salt,checksum)
return hashed
p = PHPHash('mysecret', rounds=13)
print p.hash('mypassword')
Please check it an make sure you can reproduce the PHP passwords. Once
that's done we can try implement a custom validator, based on CRYPT that
will work with them.
Massimo
On Sunday, 22 June 2014 15:40:32 UTC-5, farmy zdrowia wrote:
I did kind of investigation by myself.
I can see CB uses new Joomla Portable PHP password hashing framework
functionality to crypt password. I noticed CB run on joomla 3.2.1,
while my other site is on Joomla 2
Anyway at the end of pasword cryption chain there is a function
hashPassword and verifyPassword in libraries/joomla/user/helper.php
abstract class JUserHelper
public static function hashPassword($password)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
return $phpass-HashPassword($password);
}
public static function verifyPassword($password, $hash, $user_id
= 0)
{
$rehash = false;
$match = false;
// If we are using phpass
if (strpos($hash, '$P$') === 0)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
$match = $phpass-CheckPassword($password, $hash);
$rehash = false;
}
Indeed all my passwords starts with $P$
Whole algorithm to crypt CB/Joomla3.2.1 password is in file
libraries/phpass/PasswordHash.php
Question now is how to transform it to web2py CUSTOMER validator. I'll
need your help
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: web2py password encryption/decryption
Hello Farmy,
The code you posted helps and this examples the PHP algorithm:
http://pythonhosted.org/passlib/lib/passlib.hash.phpass.html
I recorded this in Python:
import random, hashlib
class PHPHash(object):
CHARS = '0123456789abcdefghijklmoqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def __init__(self,secret,rounds=10):
self.secret = secret
self.rounds = rounds
def hash(self,password, salt=None):
if salt is None:
salt = ''.join(random.choice(self.CHARS) for i in range(8))
checksum = hashlib.md5(salt+self.secret).hexdigest()
for k in range(2**self.rounds):
checksum = hashlib.md5(checksum+password).hexdigest()
hashed = '$P$%s%s%s' % (chr(self.rounds+ord('0')-5),salt,checksum)
return hashed
p = PHPHash('mysecret', rounds=13)
print p.hash('mypassword')
Please check it an make sure you can reproduce the PHP passwords. Once
that's done we can try implement a custom validator, based on CRYPT that
will work with them.
Massimo
On Sunday, 22 June 2014 15:40:32 UTC-5, farmy zdrowia wrote:
I did kind of investigation by myself.
I can see CB uses new Joomla Portable PHP password hashing framework
functionality to crypt password. I noticed CB run on joomla 3.2.1,
while my other site is on Joomla 2
Anyway at the end of pasword cryption chain there is a function
hashPassword and verifyPassword in libraries/joomla/user/helper.php
abstract class JUserHelper
public static function hashPassword($password)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
return $phpass-HashPassword($password);
}
public static function verifyPassword($password, $hash, $user_id =
0)
{
$rehash = false;
$match = false;
// If we are using phpass
if (strpos($hash, '$P$') === 0)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
$match = $phpass-CheckPassword($password, $hash);
$rehash = false;
}
Indeed all my passwords starts with $P$
Whole algorithm to crypt CB/Joomla3.2.1 password is in file
libraries/phpass/PasswordHash.php
Question now is how to transform it to web2py CUSTOMER validator. I'll
need your help
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: web2py password encryption/decryption
I'm so sorry for late answer. I was out of office/home for a while. Busy time this 2014 I can see :). Anyway, Massimo is absolutely right. I have two joomla sites. One Joomla _user original and indeed passwords are according to standard described in link. Example (c563e965be1369f9030863daca32a544:fwQkHlQqimvzfDBisPZkruuYCTvTsxSU) Second one is with Community Builder module installed. And this is root cause why password handling is different. I sheel write how to integrate then Community Builder and web2py :( -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: web2py password encryption/decryption
I did kind of investigation by myself.
I can see CB uses new Joomla Portable PHP password hashing framework
functionality to crypt password. I noticed CB run on joomla 3.2.1,
while my other site is on Joomla 2
Anyway at the end of pasword cryption chain there is a function
hashPassword and verifyPassword in libraries/joomla/user/helper.php
abstract class JUserHelper
public static function hashPassword($password)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
return $phpass-HashPassword($password);
}
public static function verifyPassword($password, $hash, $user_id =
0)
{
$rehash = false;
$match = false;
// If we are using phpass
if (strpos($hash, '$P$') === 0)
{
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
$match = $phpass-CheckPassword($password, $hash);
$rehash = false;
}
Indeed all my passwords starts with $P$
Whole algorithm to crypt CB/Joomla3.2.1 password is in file
libraries/phpass/PasswordHash.php
Question now is how to transform it to web2py CUSTOMER validator. I'll need
your help
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: web2py password encryption/decryption
We can help you read and validate Joomla passwords (you need a custom validator instead of CRYPT) but we do not know how: $P$DryHu7D3LgdPOK//FPvuVMcMR13HgU1 was generated. What algorithm? It does not appear to be compatible with what the docs say: http://stackoverflow.com/questions/10428126/joomla-password-encryption In the case of web2py: pbkdf2(1000,20,sha512)$a76b573005c73906$01f33be064bd2a283350206fd29355f9fa2b30fe pbkdf2(1000,20,sha512) is the algorithm a76b573005c73906 is the salt 01f33be064bd2a283350206fd29355f9fa2b30fe is the hashed password+salt. On Friday, 30 May 2014 09:22:40 UTC-5, farmy zdrowia wrote: Hello, I'm trying to integrate web2py users to be stored in joomla _users database instead of auth_user. I can see joomla and web2py use different algorithm do code/decode passwords. Joomla password looks like: $P$DryHu7D3LgdPOK//FPvuVMcMR13HgU1 , while web2py pbkdf2(1000,20,sha512)$a76b573005c73906$01f33be064bd2a283350206fd29355f9fa2b30fe I'd like to change web2py default algorithm to code/decode passwords to be similar to joomla simply to have common users database. Could you help a bit and guide me where this function is located and how to change it? -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
