WordPress password generation and login password verification

A. It is very important to study the password password generation and login password Authentication mode of wordpess in WordPress.

WordPress Password has become the primary goal of integration, how to conquer integration, you have to understand the WordPress password algorithm.

The user password of the WordPress system is saved in the User_pass field of the Wp_users data table, the password is generated by portable PHP Password hashing Framework class, the password form is random and irreversible, The same plaintext password at different times, the resulting ciphertext is not the same, relatively safe.

Two. How passwords are generated

> randomly generates a salt and adds salt and password
> The Count times MD5 and then the hash value of the encode64 is accumulated.
> finally get a password that starts with $p$, which produces different results each time.

The following is the code generated in WordPress calling the password

 
  Hashpassword ($password);? >

Three. WordPress password generation and login verification

WordPress in position is \wp-includes\class-phpass.php

The following is the code generated in WordPress directly run to see the password generation and verification process

 Itoa64 = './0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz '; if ($iteration _count_log2 < 4 | | $ Iteration_count_log2 > $iteration _count_log2 = 8; $this->iteration_count_log2 = $iteration _count_log2; $this- >portable_hashes = $portable _hashes; $this->random_state = Microtime (). Uniqid (rand (), TRUE); Removed Getmypid () for compability reasons}function get_random_bytes ($count) {$output = '; if (@is_readable ('/dev/ Urandom ') && ($fh = @fopen ('/dev/urandom ', ' RB ')) {$output = Fread ($fh, $count); fclose ($FH);} if (strlen ($output) < $count) {$output = '; for ($i = 0; $i < $count; $i + = +) {$this->random_state = MD5 (mic Rotime (). $this->random_state); $output. = Pack (' h* ', MD5 ($this->random_state));} $output = substr ($output, 0, $count);} return $output;} function Encode64 ($input, $count) {$output = "; $i = 0;do {$value = Ord ($input [$i + +]); $output. = $this->itoa64[$value &A mp 0x3f];if ($i < $count) $value |= ord ($input [$i]) &LT;&LT 8; $output. = $this->itoa64[($value >> 6) & 0x3f];if ($i + + >= $count) break;if ($i < $count) $value |= Ord  ($input [$i]) << $output. = $this->itoa64[($value >>) & 0x3f];if ($i + + >= $count) break; $output . = $this->itoa64[($value >>) & 0x3f];} while ($i < $count); return $output;} function Gensalt_private ($input) {$output = ' $PXXXXX; $output. = $this->itoa64[min ($this->iteration_count_log2 + ((php_version >= ' 5 '), 5:3)]; $output. = $this->encode64 ($input, 6); return $output;} function Crypt_private ($password, $setting) {$output = ' *0 '; if (substr ($setting, 0, 2) = = $output) $output = ' * * '; $id = Subs TR ($setting, 0, 3); # We use "$P {1}quot;, PhpBB3 uses" $H {1}quot; For the same thingif ($id! = ' $PXXXXX && $id! = ' $HXXXXX) return $output; $count _log2 = Strpos ($this->itoa64, $se TTING[3]); if ($count _log2 < 7 | | $count _log2 >) return $output; $count = 1 << $count _log2; $salt = substr ($set Ting, 4, 8); if(Strlen ($salt)! = 8) return $output; # We ' re kind of forced to use MD5 here since it ' s the only# cryptographic primitive Ava  Ilable in any versions of php# currently in use. To implement we own low-level crypto# in PHP would result in much worse performance and# consequently in lower iteration Counts and hashes that are# quicker to crack (by non-php code). if (php_version >= ' 5 ') {$hash = MD5 ($salt. $password, true);d o {$hash = MD5 ($hash. $password, True);} while (--$count);} else {$hash = Pack (' h* ', MD5 ($salt. $password));d o {$hash = Pack (' h* ', MD5 ($hash. $password));} while (--$count);} $output = substr ($setting, 0,) $output. = $this->encode64 ($hash, +); return $output;} function gensalt_extended ($input) {$count _log2 = min ($this->iteration_count_log2 + 8); # This should is odd to not re Veal weak DES keys, and the# maximum valid value is (2**24-1) which is odd anyway. $count = (1 << $count _log2)-1; $output = ' _ '; $output. = $this->itoa64[$count & 0x3f]; $outPut. = $this->itoa64[($count >> 6) & 0x3f]; $output. = $this->itoa64[($count >>) & 0x3f]; $OUTP UT. = $this->itoa64[($count >>) & 0x3f]; $output. = $this->encode64 ($input, 3); return $output;}  function Gensalt_blowfish ($input) {# This one needs to use a different order of characters and a# different encoding scheme  From the one in Encode64 () above.# We Care because the last character in our encoded string will# only represent 2 bits.  While known implementations of# Bcrypt would happily accept and correct a salt string which# has the 4 unused bits set To Non-zero, we does not want to take# chances and we also does not want for waste an additional byte# of entropy. $itoa 64 = '. /abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789 '; $output = ' $2axxxxx; $output. = Chr (ord (' 0 ') + $  THIS-&GT;ITERATION_COUNT_LOG2/10); $output. = Chr (ord (' 0 ') + $this->iteration_count_log2%); $output. = ' XXXXX; $i = 0;do {$c 1 = ord ($input [$i + +]); $output. = $itoa64[$c 1 >> 2]; $c 1 = ($c 1 & 0x03) << 4;if ($i >=) {$output. = $itoa 64[$c 1];break;} $c 2 = Ord ($input [$i + +]), $c 1 |= $c 2 >> 4, $output. = $itoa 64[$c 1]; $c 1 = ($c 2 & 0x0f) << 2; $c 2 = Ord ($input [$ i++]); $c 1 |= $c 2 >> 6 $output. = $itoa 64[$c 1]; $output. = $itoa 64[$c 2 & 0x3f];} while (1); return $output;} function Hashpassword ($password) {$random = "; crypt_blowfish = = 1 &&! $this->portable_hashes) {$random = $ This->get_random_bytes (+); $hash = Crypt ($password, $this->gensalt_blowfish ($random)); if (strlen ($hash) = = 60) return $hash;} if (crypt_ext_des = = 1 &&! $this->portable_hashes) {if (strlen ($random) < 3) $random = $this->get_random_ Bytes (3); $hash = Crypt ($password, $this->gensalt_extended ($random)), if (strlen ($hash) = =) return $hash;} if (strlen ($random) < 6) $random = $this->get_random_bytes (6); $hash = $this->crypt_private ($password, $this- >gensalt_private ($random)); if (strlen ($hash) ==) return $hash; # returning ' * ' on the error is safe here, but would _not_ being safe# in a crypt (3)-like function used _both_ For generating new# hashes and for validating passwords against existing hashes.return ' * ';} function Checkpassword ($password, $stored _hash) {$hash = $this->crypt_private ($password, $stored _hash); if ($hash [0 ] = = ' * ') $hash = Crypt ($password, $stored _hash); return $hash = = $stored _hash;}} Original password $passwordvalue = "123456";//Generate Password $wp_hasher = new PasswordHash (8, TRUE); $sigPassword = $wp _hasher-> Hashpassword ($passwordValue); echo "Generated password is:" $sigPassword; echo "\ n";//Verify Password $data = $WP _hasher->checkpassword ($ Passwordvalue, $sigPassword); if ($data) {echo ' password is correct ';} Else{echo ' password error ';}? >

This is a wordpres password generation with a login authentication instance where Hashpassword is the generated password, Checkpassword is the authentication password

Itoa64 = './0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz '; The base string for the generated salt as mentioned above.

Note: Because the CSDN code shows the plug-in restrictions on special characters. Replace xxxxx in the above code with $ ' Note that there is a single quotation mark, there are 5 in the code

Original Blog Link: http://blog.csdn.net/chengfei112233/article/details/6939144/

The above describes the wordpress password generation and login password verification, including the aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

