Created
March 8, 2023 11:42
-
-
Save vaughnd/117103a375bd4a4047a209e23b0aaf16 to your computer and use it in GitHub Desktop.
How to verify a wordpress password in Python 3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # use passlib (https://passlib.readthedocs.io/en/stable/index.html) which includes a recent implementation of phpass, | |
| # the lib Wordpress uses | |
| from passlib.hash import phpass | |
| # 'password' hashed with a random 8 character salt for a number of rounds=13. Salt and rounds are encoded in the hash itself | |
| # https://passlib.readthedocs.io/en/stable/lib/passlib.hash.phpass.html#format | |
| # $P${rounds,6-bit integer encoded as char}{salt, 8 characters}{checksum} | |
| wordpress_hashed_password='$P$BcT47uPjTpAPe6VtS8MeR4MECevpNb.' | |
| # will return True, because it takes it's configuration salt + rounds from the hash above | |
| phpass.verify("password", wordpress_hashed_password) | |
| # longer version | |
| from passlib.utils.binary import h64 | |
| rounds=h64.decode_int6(wordpress_hashed_password[3].encode('ascii')) # 13 | |
| salt=wordpress_hashed_password[4:12] # 'cT47uPjT' | |
| custom_hasher=phpass.using(salt=salt, rounds=rounds) | |
| custom_hasher.hash("password") == wordpress_hashed_password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment