What type of hash does WordPress use?

What type of hash does WordPress use?
Here is an example of a WordPress hash:

> $P$Bp.ZDNMM98mGNxCtHSkc1DqdRPXeoR.

The WordPress password hasher implements the Portable PHP password hashing framework, which is used in Content Management Systems like WordPress and Drupal.

They used to use MD5 in the older versions, but sadly for me, no more. You can generate hashes using this encryption scheme at http://scriptserver.mainframe8.com/wordpress_password_hasher.php.

$hash_type$salt$password

If the hash does not use a salt, then there is no $ sign for that. The actual hash in your case is after the 2nd $

The reason for this is, so you can have many types of hashes with different salts and feeds that string into a function that knows how to match it with some other value.

For manually resetting the password in Wordpress DB, a simple MD5 hash is sufficient. (see reason below)

To prevent breaking backwards compatibility, MD5-hashed passwords stored in the database are still valid. When a user logs in with such a password, WordPress detects MD5 was used, rehashes the password using the more secure method, and stores the new hash in the database.

Source: http://eamann.com/tech/wordpress-password-hashing/

Update: this was an answer posted in 2014. I don't know if it still works for the latest version of WP since I don't work with WP anymore.

MD5 worked for me changing my database manually. See: Resetting Your Password

It depends at least on the version of PHP that is used. wp-includes/class-phpass.php contains all the answers.

I had same problem finding out what kind of Hash does Wordpress Uses .

It is wp hash password.

Example

Compare an already hashed password with its plain-text string:

<?php
$wp_hasher = new PasswordHash(8, TRUE);

$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password = 'test';

if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
    echo "YES, Matched";
} else {
    echo "No, Wrong Password";
}
?>

See These Links: https://codex.wordpress.org/Function_Reference/wp_hash_password

https://developer.wordpress.org/reference/functions/wp_hash_password

It uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5.

The best way to do this is using WordPress class to authenticate users. Here is my solutions:

1. Include following WordPress PHP file:

include_once(dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . "wp-includes" . DIRECTORY_SEPARATOR . "class-phpass.php");

2. Create an object of PasswordHash class:

$wp_hasher = new PasswordHash(8, true);

3. call CheckPassword function to authenticate user:

$check = $wp_hasher->CheckPassword($password, $row['user_pass']);

4. check $check variable:

if($check) {
   echo "password is correct";
} else {
   echo "password is incorrect";
}

Please Note that: $password is the un-hashed password in clear text whereas $row['user_pass'] is the hashed password that you need to fetch from the database.

Start phpMyAdmin and access wp_users from your wordpress instance. Edit record and select user_pass function to match MD5. Write the string that will be your new password in VALUE. Click, GO. Go to your wordpress website and enter your new password. Back to phpMyAdmin you will see that WP changed the HASH to something like $P$B... enjoy!

Wordpress uses MD5 Password hashing. Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5. MD5 is used by default because it's supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property.

include_once('../../../wp-config.php');

global $wpdb;

$password = wp_hash_password("your password");

By default wordpress uses MD5. You can upgrade it to blowfish or extended DES.