Logic behind password encryption in joomla

Source : http://stackoverflow.com/questions/10428126/joomla-password-encryption

up vote36down voteaccepted

Joomla passwords are MD5 hashed, but the passwords are salted before being hashed. They are stored in the database as {hash}:{salt} this salt is a random string 32 characters in length. So to create a new password hash you would do md5($password.$salt) EDIT Okay so for checking a password, say a user myguy enters the password mypassword, you would retrieve the row from the database that has username myguy. In this row you'll find a password say 4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT. You split up the password hash and the salt: $hashparts = preg_split (':' , $dbpassword); echo $hashparts[0]; //this is the hash 4e9e4bcc5752d6f939aedb42408fd3aa echo $hashparts[1]; //this is the salt 0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT now calculate the hash using this salt and the password myguy entered $userhash = md5($userpassword.$hashparts[1]); // This would be 'mypassword' and the salt used in the original hash Now if this $userhash and $hashparts[0] are identical the user has entered the correct password. shareedit edited May 3 '12 at 13:48 answered May 3 '12 at 9:05 klennepette 2,1001118