phpass | Openwall Phpass , namespaced with composer | Build Tool library

My problems had solved. Have no way to decrypt password in wordpress so i used format encrypt the same in java.Thank all !

So it turned out that the PHP's md5() function returns different hash than JS'es crypto.createHash('md5') because of character encoding. I've used utf8 before comparing the password against the hash and everything works as expected:

The current methodology is quite cumbersome and unnecessarily restricted. You should definitely switch it over to using JSON for easier manipulation and storage:

config.php

If you want to check password of particular user then you can use Wordpress Default function to check

Please check the code below

Change

Wordpress uses 8 hash iterations, the git hub cod you've linked uses 15 iterations, maybe you can't just try to reduce the number of hash iterations defined in the constant HASH_ITERATIONS.

I know MD5 was cracked a while back so I'm wondering if the new phpass is crackable if we have all database information available.

This is incorrect. MD5 has not been "cracked", but it can now be processed so fast that a solution value (or duplicate) can be found relaively very quickly. This is not the same as a "crack" which is a mathematical reversal of the process used to create the cyphertext/hash.

Because MD5 can be processed so quickly now, and because it always produces the same outcome from the same input, there are things called "rainbow tables" which store the plaintext and the md5 hash by association so make it easy to enter one, and find out the other. See more here.

That said, to explain: We've got a very strange situation on our hands. I was recently approached by a business who assumed that web developer also meant white hat, apparently. Long story short, the only person with access to this company's website passed away in a car crash three months ago. Server access, wordpress access, the whole nine yards - he was the only one with access, and he left zero notes. The business hasn't done anything with the website since then, but apparently last week the site was exploited and is now forwarding to a porn site, which is murdering their reputation currently. We've contacted the hosts and they can't do anything because we don't currently have the deceased verification information... So we're stuck. We've contacted the hosts management and have submitted the appropriate documents but they said it could take 3-4 weeks for a response. So there's that.

This sounds like utter rubbish.

There are various points on here that sound extremely dubious. No server is accessible to only one person, unless it's their own PC sitting in their living room or garage, etc., a properly maintained and managed system (as this appears to be by reference to hosting companies, etc.) will have access at a root level (and probably lower levels) available to the Hosting administration. Typically there are 5-6 access levels between the website developer and the chef honcho all of whom can if needbe access most parts of an end users account.

People die all the time. This is no reason to sink a server account just because someone passed away. Send legal documentation from a legal professional to the Hosting company explaining and showing that the account holder has expired and requesting the account be transferred.

This may take time depending on the size of the company and if the business is willing to pay for this work to be carried out.

If you have issues with the server hosts then you can also apply to the DNS authorities/company to have the domain name removed and redirected to another account with another host. This will be virtually seemless for the web domain visitors.

I repeat, various aspects of this question as described sound at best dubious and at worst simply ficticious.

It would certainly be possible, but you will need to add some logic to check the legacy password hashes using PHPass. The password_verify function cannot magically verify hashes of other formats.

Just check if the hash starts with $P$ (PHPass uses this prefix). If it does, use the verification methods in PHPass. Otherwise, use the native password_verify.

Also, you will want to update the user's stored hash on a successful login, to upgrade it to the new and better hash system.

PHP CS Fixer could accept any iterable as finder. Indeed, default one is just a symfony/finder (https://github.com/symfony/finder/blob/master/Finder.php).

As you can see, exclude is not accepting a glob. You could use, eg, notPath: