Question 165550 in Wordpress Question posted in
The official Wordpress documentation can be found here.

Can Typo3 users with pbkdf2 hashed passwords be migrated to WordPress with phpass hash method?

Basically, I want to mirgrate a list of users with a pw that is hashed with pbkdf2-sha256 to a cms which uses phpass.

In order to accomplish this I try to check the entered pw by the user and generate the typo3 hashed pw in order to compare it with the record in the database.

I tried to reverse engineer the pbkdf2 hashing that typo3 uses (with a example user pw), but I don’t get the expected result:

base64_encode( hash_pbkdf2( "sha256", "88t8R7EfRj9Xf3P", "4f3YKAmnn1dBBU1OPwfdzQ", 25000, 0, true ));

Result: x806WJJRfoHq25Pq2OTs3xfa18qIJ7tzwWaAzO3aKzU=

The stored hashed pw in the db is:

$pbkdf2-sha256$25000$4f3YKAmnn1dBBU1OPwfdzQ$fq4u5vEp6hm8G6Xi7E2UcnEjcLRgMhJ2Yx9v7ikWyZs

When I try this with a given example from stack overflow it works:

 base64_encode( hash_pbkdf2( "sha256", "school bus", "BbirbJq1C1G7", 100000, 0, true ));

Result: IcYmssO2bsILHcTCzLxPs/YmVGNmKb3cSt2JWzVzP2I=

expected result: pbkdf2_sha256$100000$BbirbJq1C1G7$IcYmssO2bsILHcTCzLxPs/YmVGNmKb3cSt2JWzVzP2I=

I would really appreciate if someone can help with this.

Greetings, Julian

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This does the trick except the padding:

    $salt = base64_decode("4f3YKAmnn1dBBU1OPwfdzQ");
$hash_to_compare_with_db = base64_encode( hash_pbkdf2( "sha256", "88t8R7EfRj9Xf3P", $salt, 25000, 0, true ));

    Thanks to all and especially to user 9014097


  2. 0

    You found the answer on your own if you have a closer look at your last example.

    You wrote you tried this:

    base64_encode( hash_pbkdf2( "sha256", "88t8R7EfRj9Xf3P", "4f3YKAmnn1dBBU1OPwfdzQ", 25000, 0, true ));

    and hash is incorrect but this one is "partially" what you expect:

    base64_encode( hash_pbkdf2( "sha256", "school bus", "BbirbJq1C1G7", 100000, 0, true ));

    The key difference here is using 100000 vs 25000. You have to provide the same parameters as TYPO3 does (firstly).

    Secondly, the hash generated by TYPO3 and stored in database is what you get from that method call AND is prefixed by some additional information about the hash. In your last example, this:

    pbkdf2_sha256$100000$BbirbJq1C1G7$IcYmssO2bsILHcTCzLxPs/YmVGNmKb3cSt2JWzVzP2I=

    Thus this shows:

    1. The hash algorithm in use (pbkdf2_sha256)
    2. a separator ($)
    3. Number of run (100000)
    4. a separator ($)
    5. The salt being used by the hash algorithm (BbirbJq1C1G7)
    6. a separator ($)
    7. The hash itself (IcYms…)

    Just concatenate everything together and you’ll get a compatible hash for TYPO3. Explode at the separators ($) and you’ll get the various parts.

    Now, it is naturally obvious but just to be complete… you won’t be able to "convert" or "migrate" the hashes from one algorithm to another one, because this would defeat the whole security. A hash is not an encrypted cipher, it’s a 1-way operation. So the only way to "migrate" from pbkdf2_sha256 to phppass for your WordPress install will be to get the real password from your users (logically for you this means during the authentication process in TYPO3) and hash it using the new algorithm you need, thus either migrating over time all of your TYPO3 user passwords to the new algorithm or storing both representations "somewhere".

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search