how can i know value of string which is used as salt for joomla salt enhanced password encryption??
A:
Not familiar with joomla in particular, but most salted passwords either contain the salt in the password string, seperated my a delimiter (typically $ or some other non alphanumeric character). Or it may be stored in a seperate column in the db table
Mark
2009-08-11 16:05:04
+1
A:
Joomla generates a random salt for each password. Here you can find valuable information on how to work with the joomla methods to generate passwords:
http://forum.joomla.org/viewtopic.php?f=476&t=308499
From that bit you can see that the salt is stored after the password with a colon as delimiter.
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword("blabla", $salt);
$password = $crypt . ':' . $salt;
[EDIT] I just needed to write an Authorisiation Validator with Zend_Auth to validate against a Joomla (1.0) install and I thought I'd update the information here about it. A snip of my code.
$dbAdapter = Zend_Registry::get('jdb');
$this->_authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter);
$this->_authAdapter->setTableName('jos_users')
->setIdentityColumn('username')
->setCredentialColumn('password');
//Joomla 1.0 uses hashes in the form md5(passwort + salt) + salt
$users = new Users();
$hash = $users->getHash($value);
$salt = substr($hash, strpos($hash, ':') + 1);
$password = md5($context['password'] . $salt) . ':' . $salt;
[/EDIT]
tharkun
2009-08-11 16:12:53
is ther any way to avoid that salt and to use only md5 for password???/
Jasim
2009-08-11 16:15:44
no. unless you rewrite all involved parts of the software...
tharkun
2009-08-11 16:18:04
This is not correct. If the colon (in the passwords in database) is omitted, Joomla! will assume a md5-hashed password (see "How do I recover my admin password?", http://forum.joomla.org/viewtopic.php?t=10985) So if you (really) want to have all your passwords in md5-only, you need to rewrite or change the "Change-Password"-Procedures. Joomla! won't salt them as long as he only reads them from the database.
giraff
2009-08-14 18:41:39
thanks for the update.
tharkun
2009-08-15 19:35:56
+1
A:
In the password field in the users table, it's the bit after the ":"
The formula is something like
password DB field = md5(password + salt) + ":" + salt
Danny
2009-08-11 22:00:55
A:
Hi,
How can I check login to a web application that used database of Joomla 1.5 thourgh AP.NET ?
Thanks !
Shinichi
2009-10-16 14:16:39
A:
If joomla is randomly generating the salt each time, how in the world does it validate user's logins against it. I thought normally the salted password was supposed to be stored somewhere as regular text and you validated against the hashed version of that and hashed password.
Andy
2010-09-21 03:59:10