Wordpress password reset hook

6
votes

I'm trying to do something with wordpress passwords that may or maynot be considered kosher.

Situation:
Basically I have two different services both requiring passwords. One of these services is a simple wordpress account and one is another app, having nothing to do with wordpress. I would like to sync usernames and passwords across the two, meaning that every time a wordpress username changes, the app's username changes and every time the wordpress password changes, the app's password changes.

Problem/Question:
There are several ways I could deal with the username, but the password is the tricky one. I 'm looking to exploit a hook from the wordpress password reset interface so that any time a new password is set, it grabs it in its plain-text form (before it's hashed) and sends it to an API that I'm using to hash/store the passwords separately for this non-wordpress app. Is there a way to accomplish this?

Any shots at a solution are much appreciated.

2
passwordswordpresshook
I know, this Q is eons old, but how did you go about this? Your 'suggested solution' looks like it could easily be exploited to grab users passwords, thus I'm curious as to how you went about it. Perhaps you encrypted the password 'in transit' or something? - Athoxx
@Athoxx It was a bit hacky but as I remember it, I had access to the back-end of the other app so I encrypted the password before sending it to the API and then decrypted that parameter once it was received by the other app. - neanderslob

2 Answers

7
votes

Yes, there are hooks for this in /wp-login.php (password reset) and /wp-admin/includes/user.php (password change in user page).

# When reseting password in wp-login
add_action( 'password_reset', function( $user, $pass ) 
{
    var_dump( $pass );
    die();
}, 10, 2 );

and 

# When checking if passwords match
add_action( 'check_passwords', function( $user, $pass1, $pass2 ) 
{
    var_dump( $pass1 );
    die();
}, 10, 3 );
-1
votes

You can try using hook the validate_password_reset to validate password. Following code can be used to validate alphanumeric password.

add_action('validate_password_reset','wdm_validate_password_reset',10,2);

function wdm_validate_password_reset( $errors, $user)
{
    $exp = '/^(?=.*\d)((?=.*[a-z])|(?=.*[A-Z])).{6,32}$/';

    if(strlen($_POST['pass1'])<6 || !preg_match($exp, $_POST['pass1']) )
           $errors->add( 'error',  'Password must be alphanumeric and contain minimum 6 characters.','');
}