一。研究wordpress时wordpess的密码密码生成与登录密码验证方式很重要

WordPress密码已成为整合的首要目标,如何征服整合,就得了解WordPress密码算法。

WordPress系统的用户密码是保存在wp_users数据表的user_pass字段,密码是通过Portable PHP password hashing framework类产生的,密码的形式是随机且不可逆,同一个明文的密码在不同时间,产生的密文也不一样,相对来说较为安全。

二。密码生成方式

> 随机产生一个salt 并将salt和password相加

> 进行了count次md5 然后和encode64的hash数值累加

> 最后得到一个以$P$开头的密码,这个密码每次产生的结果都不一样

以下为在wordpress中调用密码生成的代码

<?php

 $password = 'abc';

 global $wp_hasher;

 if ( empty($wp_hasher) ) {

  require_once( './wp-includes/class-phpass.php');

  $wp_hasher = new PasswordHash(8, TRUE);

 }

 echo $wp_hasher->HashPassword($password);

?>

三。wordpress密码生成与登录验证

wordpress中位置为\wp-includes\class-phpass.php

以下是wordpress中生成密码的代码直接运行可查看密码的生成以及验证过程


<?php

class PasswordHash {

	var $itoa64;

	var $iteration_count_log2;

	var $portable_hashes;

	var $random_state;

	function PasswordHash($iteration_count_log2, $portable_hashes)

	{

		$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

		if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)

			$iteration_count_log2 = 8;

		$this->iteration_count_log2 = $iteration_count_log2;

		$this->portable_hashes = $portable_hashes;

		$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compability reasons

	}

	function get_random_bytes($count)

	{

		$output = '';

		if ( @is_readable('/dev/urandom') &&

		    ($fh = @fopen('/dev/urandom', 'rb'))) {

			$output = fread($fh, $count);

			fclose($fh);

		}

		if (strlen($output) < $count) {

			$output = '';

			for ($i = 0; $i < $count; $i += 16) {

				$this->random_state =

				    md5(microtime() . $this->random_state);

				$output .=

				    pack('H*', md5($this->random_state));

			}

			$output = substr($output, 0, $count);

		}

		return $output;

	}

	function encode64($input, $count)

	{

		$output = '';

		$i = 0;

		do {

			$value = ord($input[$i++]);

			$output .= $this->itoa64[$value & 0x3f];

			if ($i < $count)

				$value |= ord($input[$i]) << 8;

			$output .= $this->itoa64[($value >> 6) & 0x3f];

			if ($i++ >= $count)

				break;

			if ($i < $count)

				$value |= ord($input[$i]) << 16;

			$output .= $this->itoa64[($value >> 12) & 0x3f];

			if ($i++ >= $count)

				break;

			$output .= $this->itoa64[($value >> 18) & 0x3f];

		} while ($i < $count);

		return $output;

	}

	function gensalt_private($input)

	{

		$output = '$PXXXXX;

		$output .= $this->itoa64[min($this->iteration_count_log2 +

			((PHP_VERSION >= '5') ? 5 : 3), 30)];

		$output .= $this->encode64($input, 6);

		return $output;

	}

	function crypt_private($password, $setting)

	{

		$output = '*0';

		if (substr($setting, 0, 2) == $output)

			$output = '*1';

		$id = substr($setting, 0, 3);

		# We use "$P{1}quot;, phpBB3 uses "$H{1}quot; for the same thing

		if ($id != '$PXXXXX && $id != '$HXXXXX)

			return $output;

		$count_log2 = strpos($this->itoa64, $setting[3]);

		if ($count_log2 < 7 || $count_log2 > 30)

			return $output;

		$count = 1 << $count_log2;

		$salt = substr($setting, 4, 8);

		if (strlen($salt) != 8)

			return $output;

		# We're kind of forced to use MD5 here since it's the only

		# cryptographic primitive available in all versions of PHP

		# currently in use.  To implement our own low-level crypto

		# in PHP would result in much worse performance and

		# consequently in lower iteration counts and hashes that are

		# quicker to crack (by non-PHP code).

		if (PHP_VERSION >= '5') {

			$hash = md5($salt . $password, TRUE);

			do {

				$hash = md5($hash . $password, TRUE);

			} while (--$count);

		} else {

			$hash = pack('H*', md5($salt . $password));

			do {

				$hash = pack('H*', md5($hash . $password));

			} while (--$count);

		}

		$output = substr($setting, 0, 12);

		$output .= $this->encode64($hash, 16);

		return $output;

	}

	function gensalt_extended($input)

	{

		$count_log2 = min($this->iteration_count_log2 + 8, 24);

		# This should be odd to not reveal weak DES keys, and the

		# maximum valid value is (2**24 - 1) which is odd anyway.

		$count = (1 << $count_log2) - 1;

		$output = '_';

		$output .= $this->itoa64[$count & 0x3f];

		$output .= $this->itoa64[($count >> 6) & 0x3f];

		$output .= $this->itoa64[($count >> 12) & 0x3f];

		$output .= $this->itoa64[($count >> 18) & 0x3f];

		$output .= $this->encode64($input, 3);

		return $output;

	}

	function gensalt_blowfish($input)

	{

		# This one needs to use a different order of characters and a

		# different encoding scheme from the one in encode64() above.

		# We care because the last character in our encoded string will

		# only represent 2 bits.  While two known implementations of

		# bcrypt will happily accept and correct a salt string which

		# has the 4 unused bits set to non-zero, we do not want to take

		# chances and we also do not want to waste an additional byte

		# of entropy.

		$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

		$output = '$2aXXXXX;

		$output .= chr(ord('0') + $this->iteration_count_log2 / 10);

		$output .= chr(ord('0') + $this->iteration_count_log2 % 10);

		$output .= 'XXXXX;

		$i = 0;

		do {

			$c1 = ord($input[$i++]);

			$output .= $itoa64[$c1 >> 2];

			$c1 = ($c1 & 0x03) << 4;

			if ($i >= 16) {

				$output .= $itoa64[$c1];

				break;

			}

			$c2 = ord($input[$i++]);

			$c1 |= $c2 >> 4;

			$output .= $itoa64[$c1];

			$c1 = ($c2 & 0x0f) << 2;

			$c2 = ord($input[$i++]);

			$c1 |= $c2 >> 6;

			$output .= $itoa64[$c1];

			$output .= $itoa64[$c2 & 0x3f];

		} while (1);

		return $output;

	}

	function HashPassword($password)

	{

		$random = '';

		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {

			$random = $this->get_random_bytes(16);

			$hash =

			    crypt($password, $this->gensalt_blowfish($random));

			if (strlen($hash) == 60)

				return $hash;

		}

		if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {

			if (strlen($random) < 3)

				$random = $this->get_random_bytes(3);

			$hash =

			    crypt($password, $this->gensalt_extended($random));

			if (strlen($hash) == 20)

				return $hash;

		}

		if (strlen($random) < 6)

			$random = $this->get_random_bytes(6);

		$hash =

		    $this->crypt_private($password,

		    $this->gensalt_private($random));

		if (strlen($hash) == 34)

			return $hash;

		# Returning '*' on error is safe here, but would _not_ be safe

		# in a crypt(3)-like function used _both_ for generating new

		# hashes and for validating passwords against existing hashes.

		return '*';

	}

	function CheckPassword($password, $stored_hash)

	{

		$hash = $this->crypt_private($password, $stored_hash);

		if ($hash[0] == '*')

			$hash = crypt($password, $stored_hash);

		return $hash == $stored_hash;

	}

}

//原始密码

$passwordValue = "123456";

//生成密码

$wp_hasher = new PasswordHash(8, TRUE);

$sigPassword = $wp_hasher->HashPassword($passwordValue);

echo "生成的密码为:".$sigPassword;

echo "\n";

//验证密码

$data = $wp_hasher->CheckPassword($passwordValue,$sigPassword);

if($data){

    echo '密码正确';

}else{

	echo '密码错误';

}

?>

此为一个wordpres密码生成与登录验证实例,其中HashPassword为生成密码,CheckPassword为验证密码

itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 为以上提到的生成salt的基础字符串。

备注:由于csdn代码显示插件对特殊字符的限制。 请将以上代码中 XXXXX替换为 $'  注意有单引号,代码中一共有5处

原博客链接:http://blog.csdn.net/chengfei112233/article/details/6939144/

wordpress密码生成与登录密码验证的更多相关文章

  1. Java调用K3Cloud的密码加密算法实现登录密码检验

    背景: 最近要开始做K3Cloud移动,BOS平台的移动单据收费,就想单独做移动模块,搭建环境:后台SSH2,前端Android.在手机端登录时通过Ajax方式传递用户名和密码到后台校验,后台在去K3 ...

  2. 设置思科设备console密码、enable密码、vty登录密码

    思科设备各级密码:1)  console密码 SW2(config)#line console 0SW2(config-line)#password ciscoSW2(config-line)#log ...

  3. Oracle 修改密码(忘记登录密码,用户System)

    1.修改计算机环境变量,把oracle服务端路径放在最前面 2.输入cmd 3.输入命令:sysplus /nolog SQL>conn sys/syspwd as sysdba SQL> ...

  4. 支付宝cookie 是支付密码 不是登录密码

    开发文档/ 手机网站支付 / 产品介绍 开放平台文档中心 https://docs.open.alipay.com/203/105288

  5. 复杂密码生成工具apg

    复杂密码生成工具apg   密码是身份认证的重要方式.由于密码爆破方式的存在,弱密码非常不安全.为了构建复杂密码,Kali Linux预置了一个复杂密码生成工具apg.该工具可以提供可读密码和随机字符 ...

  6. ZABBIX 忘记登录密码

    ZABBIX 忘记登录密码 摘要 有些童鞋会忘记zabbix的登陆密码,今天给大家写一篇找回登陆密码~       ZABBIX 忘记登录密码 zabbix 刚刚在群里吹牛逼,由于账号比较多,脑子容易 ...

  7. Ubuntu登录Windows Server 2008r2 密码总是错误与NLA验证

    日期:2013-05-22   经过一天的折腾,终于能够用Ubuntu登录Windows server 2008 R2 了. 寝室里面用小本子,装的ubuntu,实验室的服务器是win server0 ...

  8. 如何通过数据库修改WordPress后台登录密码

    大家是否有过因为忘记WordPress后台登陆密码的时候?其实WordPress后台登陆密码的找回或修改的方法有多种,比如通过邮箱重启密码,又或者通过主机控制面板进入数据库修改等等.本篇教程以GoDd ...

  9. wordpress登录密码框明文显示最后一个输入的字符

    wordpress登录密码框明文显示最后一个输入的字符 (function(a){a.fn.dPassword=function(c){var e={interval:200,duration:100 ...

随机推荐

  1. How to: Use a Custom User Name and Password Validator

    在wcf中使用自定义的用户名和密码验证方式 https://msdn.microsoft.com/en-us/library/aa702565.aspx http://www.codeproject. ...

  2. 【Moment.js】

    Moment.js Moment.js中文网 var moment = require('moment') moment.locale('zh-cn') /* 九月 13日 2015, 4:45:25 ...

  3. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

    The server is temporarily unable to service your request due to maintenance downtime or capacity pro ...

  4. HDU 5949 Relative atomic mass 【模拟】 (2016ACM/ICPC亚洲区沈阳站)

    Relative atomic mass Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Oth ...

  5. POJ ---2531

    Network Saboteur Time Limit: 2000MS   Memory Limit: 65536K Total Submissions: 8751   Accepted: 4070 ...

  6. VMware设置虚拟机,并配置远程连接桌面

    现在需要使用VMware虚拟出几个window7的机器,用来跑自动化测试. 在配置虚拟机的时候遇到了几个问题: 问题1:虚拟机无法与外界机器通信.(可ping通过). 问题2:外界机器无法链接虚拟机的 ...

  7. Page Object 模式编写UiAutomator脚本

    在我们学习Page Object Model之前,我们先了解一下Page Object Model(以下简称POM). 为什么要POM 用UiAutomator启动UI自动化测试不是一件困难的任务.你 ...

  8. C#的类成员初始化顺序

    C#的类成员的定义和声明如下 using UnityEngine; using System.Collections; public class TestController : ECControll ...

  9. php 修改上传文件大小

    有些朋友要通过自己的网站后台,包括论坛,来上传一些文件,php一般为2m,或8m(以下我们按默认为2m),接下来就是来讲怎么修改上传文件大小的. 1.首先修改执行上传文件限制 一般的文件上传,除非文件 ...

  10. 搜索算法:深度优先搜索(DFS)

    关于深搜的介绍,在网上有很多,不再赘述.主要以题目形式实例讲解. POJ - 1321 (http://poj.org/problem?id=1321) 题目大意:给出一个棋盘,棋子不能同行同列,求放 ...