What is Joomla 2.5 Password Encryption method?

Question

I'm developing a web site using Joomla 2.5. I have Included another sample site for the above parent site. from this child site I'm gonna add new users to the database. but these two sites are uses different method to password encryption.

I found something on web as Joomla encryption but it seems to be not working.

function genRandomPassword($length=32) 
{
$salt       = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$makepass   = '';
mt_srand(10000000*(double)microtime());
for ($i = 0; $i < $length; $i++)
    $makepass .= $salt[mt_rand(0,61)];
return $makepass;
}

    if ( strlen($_POST['pwd']) > 100 )
    {
        $_POST['pwd'] = substr( $_POST['pwd'], 0, 100 );
    }

    $salt = genRandomPassword();
    $pass= md5(stripslashes($_POST['pwd']).$salt) .':'.$salt;

Isn't this the method or where am I doing wrong?

Thank you

Answer 1

I dont think we can get salt in new joomla versions. the pattern dividing password and salt with ":" is no more being used by joomla.

I got to log the user in from external source using joomla username and password. This works for 2.5.24(as I worked on this version when I used it. hope it should work with joomla 3.x.x as well)

I'm doing this login functionality with the following code in the function called

onUserAuthenticate($credentials, $options, &$response)

this is how I've used for log in user:

 // Get a database object
$db   = JFactory::getDbo();
$query   = $db->getQuery(true);

$query->select('id, password');
$query->from('#__users');
$query->where('username=' . $db->Quote($credentials['username']). 'OR email=' . $db->Quote($credentials['username'])) ;

$db->setQuery( $query );
$result = $db->loadObject();

//######################



if ($result)
{
   $match = JUserHelper::verifyPassword($credentials['password'], $result->password, $result->id);
      if ($match === true)
   {
      $user = JUser::getInstance($result->id); // Bring this in line with the rest of the system
      // echo 'here'; print_r($user);die('xxxxxssyyyyyyeeeeesssss');
      $response->email = $user->email;
      $response->fullname = $user->name;

      if (JFactory::getApplication()->isAdmin())
      {
         $response->language = $user->getParam('admin_language');
      }
      else
      {
         $response->language = $user->getParam('language');
      }
      $response->status = JAuthentication::STATUS_SUCCESS;
      $response->error_message = '';
   }
}

hope this helps some one!!

Answer 2

I find the answer : A. user typed password - 'testing'

B. take from database record which you saved for this user: 5cf56p85sf15lpyf30c3fd19819p58ly:aNs1L5PajsIscupUskaNdPenustelsPe

C. concatenate user password with second part of record (from step -> testingaNs1L5PajsIscupUskaNdPenustelsPe

D. generate MD5 of step C

E. compare result of step C with first part of record from step B (5cf56p85sf15lpyf30c3fd19819p58ly), if its the same it means user typed correct password

Answer 3

Finally found the way; thinks this will help someone else :)

    if ( strlen($_POST['pwd']) > 100 )
     {
        $_POST['pwd'] = substr( $_POST['pwd'], 0, 100 );
     }

     $salt = genRandomPassword();
    //$pass is the encripted password
     $pass= md5(stripslashes($_POST['pwd']).$salt) .':'.$salt;

Hash generation as follows:

    function genRandomPassword($length = 32)
    {
     $salt = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
     $len = strlen($salt);
     $makepass = '';
     mt_srand(10000000 * (double) microtime());

     for ($i = 0; $i < $length; $i ++) {
        $makepass .= $salt[mt_rand(0, $len -1)];
     }

     return $makepass;
    }