migrating b-crypt hashed passwords from Ruby on Rails to Wordpress

Question

I have an application with user table and hashed passwords created by Devise in a RubyonRails website.

I want to migrate those users to Wordpress.

According to PHP documentation you can use the BCRYPT algorithm for passwords, and this is the same encryption method (afaik) that is used by Devise.

The hashed passwords I have are all 60 characters long, and they all begin with the prefix $2y$

However, when I try to follow the code example

<?php
echo "Welcome to PHPSandbox";
$hash = '$2y${MyHASHEDPASSWORDHERE}';
password_verify('{MYPASSWORDHERE}', $hash)

It outputs false

Yet when I follow the example on the documentationit outputs true.

Devise must have added some extra complexity to the Hash Password and so now when I run password_verify using PHP 8 it is not able to verify that the hash and the password match.

How can I verify the hashed passwords coming from Devise on Ruby on Rails application in PHP?

Answer 1

Migration of password can be integrated into the application while still on the old system.

You would need to have the old password hashing mechanism in place, and the new algorithm plus a second column in your database to store the password with the new hashing method.

When the user authenticates, eg. the first password check validates the password, you can hash it with the second method into the second column (you'd only do this, if the second column is empty yet)

At some point, you remove the old password hash & database column. Anybody who hasn't authenticated until then must go through the "password forgotten" process.