how do i know worth of string which is often used as salt for joomla salt enhanced password file encryption??
Joomla creates a random salt for every password. Here you'll find valuable information about how to utilize the joomla techniques to create passwords:
From that bit you can observe the salt is saved following the password having a colon as delimiter.
$salt = JUserHelper::genRandomPassword(32); $crypt = JUserHelper::getCryptedPassword("blabla", $salt); $password = $crypt . ':' . $salt;
[EDIT] I simply required to write an Authorisiation Validator with Zend_Auth to validate against a Joomla (1.) install and I decided to update the data here about this. A snip of my code.
$dbAdapter = Zend_Registry::get('jdb'); $this->_authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter); $this->_authAdapter->setTableName('jos_users') ->setIdentityColumn('username') ->setCredentialColumn('password'); //Joomla 1.0 uses hashes in the form md5(passwort + salt) + salt $users = new Users(); $hash = $users->getHash($value); $salt = substr($hash, strpos($hash, ':') + 1); $password = md5($context['password'] . $salt) . ':' . $salt;
Within the password area within the customers table, it is the bit following the ":"
The formula is one thing like
password DB area = md5(password + salt) + ":" + salt
Unfamiliar with joomla particularly, but many salted passwords either retain the salt within the password string, seperated my a delimiter (typically $ as well as other non alphanumeric character). Or it might be saved inside a seperate column within the db table
If joomla is at random producing the salt every time, how on the planet will it validate user's logins against it. I figured normally the salted password was said to be saved somewhere as regular text and also you validated from the hashed version of this and hashed password.