I can't find out how Joomla encrypted passwords. My problem is that i want to make the exact method as Jommla does in a simple php page with a form and without any OOP method.

So this is my input as a password: test

and this is my output as an ancrypted password in Joomla database: $2y$10$XXrVok3/3Otqg6FmqFzUmObA.rLpLt.BswwSJ7d.iCPoGSJtcqSvm

I found out that it is maybe in connection with the BLOWFISH encrytion, but it needs something else (for example: generated salt or a token in the database which i couldn't find)

Joomla! uses PhPass.

root/libraries/phpass/PasswordHash.php

have a look here. you will see here how the password is generating.

The $2y is the default (and preferred) prefix on bcrypt hashes. As for code, you'll want to look inside JUserHelper's hashPassword and verifyPassword methods to see how Joomla's working with things right now.

Some Referances -

https://github.com/joomla/joomla-cms/blob/3.4.1/libraries/joomla/user/helper.php#L296-L387

https://docs.joomla.org/API15:JUserHelper/getCryptedPassword

https://docs.joomla.org/API15:JUserHelper/getSalt

Check the links, I hope you it will help you ;)

Hi the encryption is made by the class named 'PasswordHash.php' that in joomla is located under libraries/phpass.

If you want to use in a php script out of joomla framework you can import only this class. This is a exhample:

<?php
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(10, TRUE);
$correct = 'test';
$hash = $t_hasher->HashPassword($correct);
print 'Hash: ' . $hash . "\n";
//Get password to check from get variable
$p=$_GET['p'];
//check if is correct
$check = $t_hasher->CheckPassword($p, $hash);
if ($check){
    print 'CORRECT PASSWORD';
    }
else {
    print 'WRONG PASSWORD';
    }
?>

Then you call this script with yourcriptname.php?p=PASSWORDTOCHECK.

Here you can find the documentation of the class http://www.openwall.com/phpass/

Thank you your reply

I use your code in my page with a form but the output ($hash) is not the same that i want

    <?php
    require 'PasswordHash.php';
    if(isset($_POST['send'])) {
    $t_hasher = new PasswordHash(10, TRUE);

    $correct = $_POST['pass'];

    $hash = $t_hasher->HashPassword($correct);

    print 'Hash: ' . $hash . "\n";
    }
?>

<form action="" method="post">

    <input type="text" name="pass">

    <input type="submit" name="send" value="send">

</form>

this is my code and the class is in the root directory so it works fine. So the output is always different, This hash might stored somewhere in the code or in the database to generate this ($2y$10$XXrVok3/3Otqg6FmqFzUmObA.rLpLt.BswwSJ7d.iCPoGSJtcqSvm) password