I'm trying to make use of the PayPal Subscription with IPN to provide monthly billing for my customers. The IPN works fine but I am not sure how the password hashing works.

username (optional) Username generated by PayPal and given to subscriber to access the subscription. 64 password (optional) Password generated by PayPal and given to subscriber to access the subscription (password will be encrypted).

My understanding was that I need to 'hash' the real password and then compare it with the saved 'hashed' password I received via IPN. but there is no mention on what that 'hash' really is. From some forum I gather it is a 'linux crypt' and 'Apache password'. So I have tried to find c# implementation and online generators to hash the password but I never get the IPN hashed password as a result.

• A) This is what I get via IPN: password=nw4eVBBG2F0hk
• B) This is what I see when I look at the Seller record: Password uq6oa0zmZSORU
• C) This what the customer see in their record: Password probe^blob

I need a way to get from C to A and it would be nice to know why is B different then A.

This is going to sound pretty weird, but this seems to be how it is working and I'm not exactly sure how this works out from your end if you're trying to pre-hash.

Paypal uses a des crypt on the password with the final password's first 2 char as salt. So for example, if you do:

<?php echo crypt("probe^blob", "nw"); ?>

You will get the salted password. I have no idea how they are doing that on their end, and it's sort of inefficient to check that after the fact with a large user base.

Source: http://www.sitepoint.com/forums/showthread.php?52952-PayPal-IPN-Password-Hashing