Password Hashing

From version 2.0 and onwards xAuth has hashed passwords using the Whirlpool hashing algorithm combined with a randomly generated salt.

---

Example

Plaintext: password
Hashed: cb5ef15b400cef07addb37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

How does it work?

1. First, the salt is created by taking the first 12 characters of a randomly generated Whirlpool hash.

400cef07addb

2. Next, the salt and plaintext password are combined and hashed.

400cef07addbpassword

cb5ef15b37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

3. Finally, the salt is inserted into the previously generated hash at a position determined by the length of the plaintext password.

cb5ef15b[[400cef07addb]]37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

For more information, click here.

---

PHP Function

function encryptPassword($password) {
	$salt = substr(hash('whirlpool', uniqid(rand(), true)), 0, 12);
	$hash = hash('whirlpool', $salt . $password);
	$saltPos = (strlen($password) >= strlen($hash) ? strlen($hash) : strlen($password));
	return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos);
}

function checkPassword($realPass, $checkPass) {
	//check for old encryption (md5 or whirlpool)
	if (strlen($realPass) == 32 || strlen($realPass) == 128) {
		$hash = (strlen($realPass) == 32 ? md5($checkPass) : hash('whirlpool', $checkPass));
		if ($realPass == $hash) {
			// change password to new encryption?
			return true;
		} else
			return false;
	}

	// xAuth 2 encryption
	$saltPos = (strlen($checkPass) >= strlen($realPass) ? strlen($realPass) : strlen($checkPass));

	// extract salt
	$salt = substr($realPass, $saltPos, 12);

	$hash = hash('whirlpool', $salt . $checkPass);
	return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos) == $realPass;
}