Drupal 7 password hash

drupal encryption passwords drupal-7 password-protection
10,102

Note that these passwords are hashed, not encrypted. The fundamental difference between hashing and encryption is that with encryption you would be able to recover the original password. You won't be able to do that when they are hashed (not without a lot of effort), and that's by design.

Think of hash browns: if you've made a hash brown, you won't be able to get the original potatoes back. This is done so that if a hacker compromises your system and gains access to the database, they won't be able to see or recover the original passwords.

So how does one check if the user entered the correct password? Well, when the user tries to log in and enters a password, you apply the same functions to the user input and see if the output is the same thing as what's stored in the database. Since hashing functions are deterministic, you'll always get the same output with the same input.

The key to getting multiple applications to work with the same hashes is have them use the same functions on the passwords when attempting to authenticate a user. Drupal probably also uses one or more salts - but that's not important. As long as the same logic is used by your applications, the hashes will be always fully compatible.

Suppose Drupal uses something like this as its authentication system (very simplified pseudo-ish code):

/*
    input: user-entered $username and $password
    output: true if authorized, false otherwise
*/
function auth($username, $password) 
{
    $salt = 'some random salt';

    // input is sanitized somewhere, somehow
    $hash_from_db = db_result('SELECT hash FROM users WHERE username = "$username"');
    $hashed_input = sha1($password . $salt);

    if ($hash_from_db != $hashed_input)
        return false;
    else
        return true; 
}

If your other application uses the exact same thing to authenticate its users, it will work fine. Note that Drupal's authentication scheme will probably be a lot more complex, but don't let that faze you. It's just about doing the same thing Drupal does.

For Drupal, here's where you can start: user_hash_password().

Share:
10,102
user1020069
Author by

user1020069

Updated on June 04, 2022

Comments

  • user1020069
    user1020069 almost 2 years

    I have a bit of a dilemma here. I have a drupal 7 database table of users, with corresponding passwords. All these passwords have been naturally encrypted. My assumption is that these are MD5 hashes, but not quite.

    The challenge here is that, we are utilizing the same set of users in a companion website that uses similar credentials but a different technology [please don't blame me for this, I a mere pawn].

    Now if I knew how Drupal goes about encrypting its passwords, maybe I could decrypt them and apply the same in my backend logic?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Python's safest method to store and retrieve passwords from a database
How can I generate a vBulletin password salt for the md5 hash while importing user data?
File system permission error while installing drupal modules
How to store private encrypted user data in the database, but make them available to other chosen users?
RAR passwords, why don't rainbow tables work?
Illegal string offset '#children' in drupal_render()
How to properly store a PBKDF2 password hash
How can I encrypt password in a batch file?
How to link taxonomy terms to view page?
How to hash a password with SHA512