- This topic has 7 replies, 3 voices, and was last updated 6 years, 10 months ago by
.
-
Posts
-
We have a custom plugin that makes use of the ‘eMember_registration_complete’ callback. In $member_data, [password] is returned as a phPass hashed string. We would like to use a different hashing method — is it possible to get this password value in plaintext or change the hashing function? Thanks!
It sounds like you ware wanting a method of knowing the member’s plaintext password; as the hashed password is a one-way function. Why?
We need to use the (same) password to create an account for that member on another website that uses a different hashing function. (We own/manage both websites. The 2nd site is not a WordPress website.)
There is no way for you to unilaterally copy user accounts from one site to another; in a manner that preserves the existing user passwords, because:
- There is no way to decode an existing password hash. That is why it is called a “one-way hash.”
- Copying an existing hash to another site, “won’t work” either. That is because each site installation uses a different “encryption salt” value.
The best recommendation is to implement this process:
https://support.tipsandtricks-hq.com/forums/topic/emember-passwords-for-imported-users
Of course, since the second site is not WordPress, you’d have to do something similar, but in a different manner.
There is also another reason for not trying to decode your user’s passwords… legal liability. Some (ignorant/uninformed) users tend to instinctively use the same password for your site, as for their bank, PayPal, or other “confidential/secret” website access. If you knew the username, plaintext password and email for all of your users; chances are “pretty good” that you can enter them into some other website and gain access.
The way that we are setting up our secondary user account creation function is via a custom wordpress plugin that connects to the
eMember_registration_completecallback, which comes populated with the user-submitted data from the wp-eMember account registration form following payment. We take this data, then ship it over to our other database to create a single login that works across both platforms, based on their initial credentials.The form includes non-hashed data like their name, phone number, etc., while the password is hashed. We would like to use a different hashing algorithm on the second site, to match our existing schema (SHA2-256) without compromising the login functionality of the eMember backend on wordpress.
To accomplish this, we simply need access to the plaintext password before the plugin hashes it, if that makes sense.
To accomplish this, we simply need access to the plaintext password before the plugin hashes it, if that makes sense.
There is a way to obtain the plaintext passwords; but it borders on the illegal… You’d have to modify the eMember login code to save a copy of the plaintext password, at the time of each user’s next successful login. Depending upon how often users log into your site, determines how fast you can collect the passwords. With that said, and considering the reasons I stated earlier for why you should not try finding out the plaintext passwords; are you really sure you want to do this?
P.S. You would have to make “that” particular code modification on your own.
Thinking about this some more, I think the best compromise to achieve the desired result will be to use the hashed password from the eMember plugin, then check against the SHA2-256 hash OR phPass hash. Collisions within the database should be a non-issue for our small userbase.
Instead of trying to store plain passwords, you can potentially just use the same password checking functionality that emember uses. You can create a function in your custom code to do the password checking the same way emember does. Then your customized code will use a good practice when it comes to storing password.
- There is no way to decode an existing password hash. That is why it is called a “one-way hash.”
- You must be logged in to reply to this topic.