Hello Farmy,
The code you posted helps and this examples the PHP algorithm:
http://pythonhosted.org/passlib/lib/passlib.hash.phpass.html
I recorded this in Python:
import random, hashlib
class PHPHash(object):
CHARS = '0123456789abcdefghijklmoqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def __init__(self,secret,rounds=10):
self.secret = secret
self.rounds = rounds
def hash(self,password, salt=None):
if salt is None:
salt = ''.join(random.choice(self.CHARS) for i in range(8))
checksum = hashlib.md5(salt+self.secret).hexdigest()
for k in range(2**self.rounds):
checksum = hashlib.md5(checksum+password).hexdigest()
hashed = '$P$%s%s%s' % (chr(self.rounds+ord('0')-5),salt,checksum)
return hashed
p = PHPHash('mysecret', rounds=13)
print p.hash('mypassword')
Please check it an make sure you can reproduce the PHP passwords. Once
that's done we can try implement a custom validator, based on CRYPT that
will work with them.
Massimo
On Sunday, 22 June 2014 15:40:32 UTC-5, farmy zdrowia wrote:
>
> I did kind of investigation by myself.
> I can see CB uses new Joomla "Portable PHP password hashing framework"
> functionality to crypt password. I noticed CB run on joomla 3.2.1,
> while my other site is on Joomla 2
>
> Anyway at the end of pasword cryption chain there is a function
> hashPassword and verifyPassword in libraries/joomla/user/helper.php
>
> abstract class JUserHelper
> public static function hashPassword($password)
> {
> // Use PHPass's portable hashes with a cost of 10.
> $phpass = new PasswordHash(10, true);
>
> return $phpass->HashPassword($password);
> }
>
>
> public static function verifyPassword($password, $hash, $user_id =
> 0)
> {
> $rehash = false;
> $match = false;
>
> // If we are using phpass
> if (strpos($hash, '$P$') === 0)
> {
> // Use PHPass's portable hashes with a cost of 10.
> $phpass = new PasswordHash(10, true);
>
> $match = $phpass->CheckPassword($password, $hash);
>
> $rehash = false;
> }
>
>
> Indeed all my passwords starts with "$P$"
>
> Whole algorithm to crypt CB/Joomla3.2.1 password is in file
> libraries/phpass/PasswordHash.php
>
>
>
> Question now is how to transform it to web2py CUSTOMER validator. I'll
> need your help
>
>
>
>
>
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
