First off, let me define the end goal:
I'd like to Wordpress (version 2.8) to manage the authentication data/credentials and access control for a web site. Wordpress will be used for most of the site, but some pages will be built outside of the Wordpress environment. These pages should be able to use the user authenticaion data stored Wordpress database as a reference to make their own decisions about access.
So, the question:
How, exactly, does Wordpress store user authentication data in its database?
The first part of this answer is easy, inside the Wordpress database, there is a table that holds the primary user data. I believe the default name for this table is "wp_users" but that can change based on the way Wordpress is setup. This table contains the fields "user_login" and "user_pass" which hold the username and password data, respectively.
The "user_login" is simply a plain text field, so that is easy enough to access, but the password is salted and hashed. This leads to the first thing that still needs to be determined: what is the salting and hashing process Wordpress uses for generating the strings that it stores in "user_pass"?
The other portion that remains open is where/how Wordpress stores its "roles". In my install, these roles default to: Administrator, Editor, Author, Contributor and Subscriber. What I don't see is how these roles are associated with individual users. Also, can these role altered?
So, to recap, the real question is in three parts:
1) What is the specific method Wordpress uses to transpose users' plain-text passwords to the strings that are stored in the "user_pass" column of the "wp_users" database table?
2) Where are the links between individual users and their respective Wordpress "roles" stored?
3) Can "roles" in Wordpress be modified to change their names and/or add/remove them?
Note: I realize that another approach would be to have non-Wordpress pages check the Wordpress cookie to determine access. I'm going to create another question along those lines, but for purposes of this question the focus is on how non-Wordpress pages can utilize the actual Wordpress database for decisions on access control.