The remaining part fo the hash JUMSAM1WlLTHPdH6EDj4e1 is the real randomness, generated by the salt+password passed in an undocumented encode64 function, which performs some bitwise operations on the input string and returns a 22 chars output. For example, if your password is admin, it gets turned to nPVO4gP9admin and then hashed. The first 3 characters $P$ are an ID, telling the system which kind oh hash we have.Ĭharacter number 3 (counting from 0) is used to determine how many times the md5() has to process the input string.Ĭhars from 4 to 12 nPVO4gP9 are the salt, which is a random string appended to the password before hashing, to give it more randomness. This is a WordPress hash: $P$BnPVO4gP9JUMSAM1WlLTHPdH6EDj4e1įor simplicity, we will assume the site uses PHP>5 and the newest phpass portable hash, which is the most common setup. Which means that we can also use that function to crack the hash. If they match, the password is correct and authentication goes on. Long story short, crypt_private($password, $stored_hash) re-hashes the password before it gets compared to the stored hash. Going through the code, it quickly bring us to CheckPassword, crypt_private and encode64 which basically is where the magic happens. Return apply_filters( 'check_password', $check, $password, $hash, $user_id ) ** This filter is documented in wp-includes/pluggable.php */ $check = $wp_hasher->CheckPassword( $password, $hash ) $wp_hasher = new PasswordHash( 8, true ) By default, use the portable hash from phpass. presume the new style phpass portable hash. Hashing is a one-way process, but WordPress is someway able to authenticate users matching their password input with the hash stored in the databaseįrom there, I started checking the code and found the first interesting function: wp_check_password($password,$hash) which compares the plain text password with the hash and returns true if they match. I decided to take a different approach starting from an assumption: Lots of references to the PHP libraries used (portable hash from phpass), but nothing really concrete. I started doing some googling and found that most of the information out there is generic and confusing. So, I decided to take a closer look at the hashing system and try to crack WordPress hashes from scratch! Understanding WordPress password hashes True or not, a strong password hashing is crucial for a large ecosystem like the WordPress one, which has always been a juicy target for hackers. If you enjoy going to WordCamps as I do, you probably heard this already: "WordPress password hashing is not safe", or in the most technical version: ".because it is md5 based". WordPress passwords, explained and cracked WordPress passwords, explained and cracked | Francesco Carlucci
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |