I am migrating from Joomla 1.5 to WordPress and my client does not want users to have to re-register. So I am writing a WordPress plugin to match a user's password with what's in the jos_users table and then update their info in WordPress accordingly.
Everything I have read so far for Joomla's password authentication points me to the getCryptedPassword function:
http://docs.joomla.org/API15:JUserHelper/getCryptedPassword
My plugin is encrypting what the user enters the same way:
$db_password = explode(':', $query); //what's in the password field of jos_users
$salt = $db_password[1];
$string_to_be_hashed = $user_entered_pass . $salt;
$test_pass = md5($string_to_be_hashed);
$test_pass = $test_pass . ":" . $salt;
if($test_pass = query){echo "success"}
I have tested 3 accounts using this...but only 2 are authenticating.
Specifically: md5($password$salt):$salt != database password value
In the database, the password value for the account it is not working for appears to have used the same encryption and in the same format ([md5hash]:salt). I know the password is correct because I can login into the client's site with it.
In addition, I ran a search on the entire Joomla codebase for the getCryptedPassword function. In all cases, no explicit encryption method is sent - both the code and the documentation indicate that md5 is used by default.
Can anyone think of any places I should look for alternative encryption possibilities?
I have no idea where else to look or why this particular user account appears to be encrypting differently.
