Problem with off-site authentication

  • Okay, here’s a good one for you. I’ve been searching around on Google for probably a solid two hours with nothing to show.
    I have a game that interfaces with some PHP to verify that users owned a copy of the game. For a while, I’ve been using the line wp_check_password($password, wp_hash_password($password), $user_id) to verify the user, but recently I realized that this doesn’t actually verify the user. All it does is basically hash the password twice and make sure it’s the same (spoiler: it always is). So, I figured substituting the second argument for $user->user_pass would fix it. Unfortunately, it didn’t. After much research, I found out why: since my authentication is outside my core WordPress install and manually includes wp-load.php, when WordPress creates a new PasswordHash object, it creates a brand-new random salt, which will very probably never ever actually match the one used to hash the password in the database. To make matters worse, it doesn’t store that salt anywhere I can find. So, I have two questions.
    Firstly: How does WordPress pull this off? How often is wp-load.php actually included in a normal install, and how does the PasswordHash object (and consequently the salt) stay the same no matter what, without storing it? Does it actually store it somewhere?
    Secondly: Presuming that it doesn’t store the salt and I don’t want to edit class-phpass.php to store/return the salt (and I don’t), would the best method be to create a little plugin that redefines the password hashing to use something more reproducible (and if so, what do you recommend)? I don’t really want to make every user reset their password, but if that’s the only solution, I’ll consider it.

Viewing 1 replies (of 1 total)
  • Thread Starter snoozbuster

    (@snoozbuster)

    Okay, so after more research I’ve found more information. WP passwords are stored like “$P$” + (letter representing hash repetition count) + (8-character salt) + (hash), and PasswordHash::CheckPassword() should extract these things and correctly hash your password. But the password hash I get from “SELECT user_pass FROM wp_users WHERE user_login = %d” doesn’t match the one from CheckPassword(). I even reconstructed the function for testing, to see where it was going wrong, and it appeared to be working fine, it just doesn’t match. I then constructed a function to iterate hashing until it found a matching one to see if the count was off, but even that failed (I went up to 100,000 iterations).

    So, any ideas?

Viewing 1 replies (of 1 total)
  • The topic ‘Problem with off-site authentication’ is closed to new replies.