Verify password that is hashed outside our control?

Question

Implementing a service that posts a user's ID and an MDG-hashed password to my server for verification.

We store hashes passwords that are generated using the password_hash() function in PHP >5.5.

Is there any way to verify the MD5 hash and our hash point to the same password?

Normally, a password would be submitted to us via a login form and we would verify with password_verify() but without the password in plain text I'm at a bit of a loss.

Jay's right. You can keep the password rows while getting your users to update their passwords (force them to) using the new hashing method. The new password column could be marked as "verified". Then, setup your login with a WHERE clause for the WHERE pw='verified' — Funk Forty Niner
See this answer stackoverflow.com/a/18906896 you can check and convert against MD5 passwords to the new password_hash() method. You can further your research by Googling "convert md5 to password_hash php" — Funk Forty Niner
Currently, we store the result of password_hash() in the database. But a vendor wants to send us MD5 hashed values when users try to login via their service. I'm going to keep it simple and insist that they implement password_verify() and we'll provide them with the hashed value to perform comparison. — Steven Sokulski
@StevenSokulski Your comment above should have been inside your question from the beginning. I would have been able to provide you with a detailed answer, including the link I've already provided above in order to convert the MD5 to password_hash(). Your question was a bit unclear. Details as such are important. — Funk Forty Niner

Garima Garima · Accepted Answer · 2014-09-24T18:04:55

You can't decrypt it. But if you can change the mechanism for generating the password, you can refer to this post

Verify password that is hashed outside our control?

2 Answers