[Mediawiki-l] salted hashed hashed passwords

Brion Vibber brion at pobox.com
Wed Feb 8 18:27:27 UTC 2006

Paul Sanderson wrote:
> The problem comes when adding the password. As far as I can see
> mediaWiki expects a salted hash of the hash of a password, the salt is
> the userID. i.e. if I create a user who has a random password (say
> 123abc) and a userID of say 357 then I would do the following
> Create a random password (123abc)
> Hash it
> prepend the user ID and a dash(-), so we would have, some thing like
> 357-abc343acde... etc.
> We then hash this string again, giving the final hash

Sounds right. Make sure that:
* you are using MD5
* hex digits are lowercase
* the hashed object is UTF-8 text, and you're not including the NULL byte or any
other trailing bytes from an array

For your example of id 357 and password "123abc" you should get:

$ php -r 'echo md5("357-" . md5("123abc")) . "\n";'

-- brion vibber (brion @ pobox.com)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20060208/7cb846f8/attachment-0001.pgp 

More information about the MediaWiki-l mailing list