This time just a quick post as I am in a hurry. Ever wondered how to change your Wordpress password in case you have forgotten it? In early versions Wordpress used the MD5 hashing algorithm to “encrypt” the passwords of a user. Nowadays Wordpress uses the Portable PHP password hashing framework (PHPASS) instead of MD5 hashing since version 2.5 (see this ticket) – so you cannot simply MD5 hash a new password and enter the digest into the database anymore. You have to encode it using the framework mentioned above.
Today i have implemented the PHPASS framework and turned it into a mainframe8 tool called the Wordpress password hasher. Use it to convert your new password into a “encrypted” hash and insert it into the wp_users table of the wordpress database. I will write a detailed howto later.
14 Comments
Greatings, Super post, Need to mark it on Digg
AnnaHopn
Hi,
I want to convert add all the wordpress user to joomla so that they can use their same username and password when they login to new joomla site, so i am getting PHPASS password from wp_users table so how do i convert that to MD5 hash so that i can enter it in joomla user table.
Thanks in advance
Hi Dipesh,
thanks for your comment.
So you want to migrate the users of Wordpress to Joomla (continously perhaps). Unluckily you cannot convert the Wordpress users’ passwords to their plaintext values and then reencode them by MD5 for Joomla. They are hashed, so you’ve got bad luck there. Of course you could try to crack them but they’re salt-hashed so there is less chance you could achieve that.
BUT: you could adopt the PHPASS algorithm for use in Joomla! That should not be that hard. So you can simply change 1) the password hashing in the Joomla registration process and 2) the password check of Joomla.
Then migrate all passwords from Wordpress to Joomla and you’re done.
Plan B: convert the password hashing for Wordpress from PHPASS back to MD5 and you save yourself from the hassle of changing Joomla code. But you must live with less security of your Wordpress installation then.
Did this help you, Dipesh?
Does someone else have a comment on this? Tell us how you would do it!
Thanks for implementing this for the rest of us, it worked great.
I’m glad to help, Alan. Thanks for your feedback!
How to change the process phpass wordpress in MD5?
do you have a tutorial to do that?
thank you
Hi Frank,
thank you for your reply! Quite frankly said i don’t exactly know what you mean by “changing the process phpass.” Could you please explain it further and i will see what i can do for you. I can imagine you mean how to change the process wordpress uses to authentice from phpass to something other like MD5. Is it that? Or to change something in the phpass ‘algorithm?’
Please provide more details. Thanks!
Stotti
This is awesome. Thanks for posting!
Question: how could I process 600+ user passwords instead of doing them one at a time?
Berry, thanks for your comment.
I could add a batch-mode to the tool. Would that help? But the development will take some time as i’m out of free time at the moment.
Stotti
Scotti, ya that would be great. Totally understand you’re busy. As soon as I finish migrating the rest of the user data I’ll start doing them one by one on my train ride in to work
– you’ve already saved me with this tool.
B
I’m trying to move 5000 Wordpress users to Joomla. If anyone has a batch mode solution or a way to change the Joomla hashing scheme, please let us know
@CharlieMon
Why you want to move users to Joomla? do you want to change your Wordpress site platform into Joomla? or just want to make a new site?
Hi there,
Great article, password hashing is a common question for me as a network penetration tester, the strongest I come across day today is salted SHA-386/SHA-512, virtually uncrackable.
Please people dont use MD5 – its so easily cracked online, i make alot of money from my online md5 cracker because so many people still use it to hash passwords, if your using MD5 hashes all your users need to be using passwords that are 10+ characters and containing latin symbols to ensure they wont be cracked, which just isn’t practical.
I think salting and the lack of SHA-386/SHA-512 online cracks/distributed crackers means that using those algorithms should keep your passwords safe if all else fails, its certainly stopped me in my tracks before now.
(If you want to chat, you can find me at http://www.adamonsecurity.com where i discuss similar topics about my life as a penetration tester)
Great blog, keep up the good work
Adam
3 Trackbacks
[...] more from the original source: New Wordpress password hasher tool Posted in PHP | Tags: a-new-password, a-quick-post, change-your, encode-it-using, [...]
[...] View post: New Wordpress password hasher tool // stotti.blog() [...]
[...] the other day, comes in handy if you need to reset a wordpress password in database. Check out the “New Wordpress password hasher tool”. It used to be md5() but that has changed. When you move and alter Wordpress blogs you sometime [...]