[Mediawiki-l] salted hashed hashed passwords
Brion Vibber
brion at pobox.com
Wed Feb 8 18:27:27 UTC 2006
Paul Sanderson wrote:
> The problem comes when adding the password. As far as I can see
> mediaWiki expects a salted hash of the hash of a password, the salt is
> the userID. i.e. if I create a user who has a random password (say
> 123abc) and a userID of say 357 then I would do the following
>
> Create a random password (123abc)
>
> Hash it
>
> prepend the user ID and a dash(-), so we would have, some thing like
>
> 357-abc343acde... etc.
>
> We then hash this string again, giving the final hash
Sounds right. Make sure that:
* you are using MD5
* hex digits are lowercase
* the hashed object is UTF-8 text, and you're not including the NULL byte or any
other trailing bytes from an array
For your example of id 357 and password "123abc" you should get:
$ php -r 'echo md5("357-" . md5("123abc")) . "\n";'
397981aabef0194a3b76c1319c496659
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20060208/7cb846f8/attachment-0001.pgp
More information about the MediaWiki-l
mailing list