Jump to content

About Hashing Method In Pw


Recommended Posts


I'm learning about password management/security in order to synchronize logins between PW users and Foxycart. In Foxycart I need to choose the password hash type I'm using.

In my installation of PW wire->config.php shows:

$config->userAuthHashType = 'sha1';

But in the post https://processwire.com/talk/topic/2954-password-hashing/ Ryan says:

In ProcessWire 2.3, The $config->userAuthHashType is only used as a fallback if bcrypt/blowfish isn't available. 

I'm using 2.4.4 version.

As the server which PW shows blowfish is available I understand PW is using it. Foxycart doesn´t list this hash algorithm available.

So, where should I change the hash method in wire->config? but it is overriden if blowfish is available in the server anyway? 

I'm a bit lost here  :mellow: , any direction / help would be appreciated.

Link to comment
Share on other sites

What are you trying to do exactly? ProcessWire uses salt also, so telling foxycart just about the hash algorithm PW uses has no use at all. Is there some documentation page on Foxy carts site that we can reference?

Link to comment
Share on other sites


It shows a list with the available methods to use with Foxycart.

There are several options, for different CMSs, eg Wordpress or Drupal, salt included.

I need Processwire to use one of this methods in order to sync the password between the PW users and Foxy users, as I understand I need to use the same hash method + salt so a user registered through Foxy could not login / validate password in PW, because the hashes would be different.

Link to comment
Share on other sites

alejandro, I have also done a Foxycart / PW integration.

This took me quite a while to get my head around too.

Quite simply, it doesn't matter which hashing method you choose in FoxyCart (I chose sha256)

This was my setup:

1. customer registers in FoxyCart

2. customer pays and datafeed is sent back to PW

3. password in datafeed is already sha256 so I just create a new user in PW with the already hashed password.

4. new PW user is setup which has a password which is sha256 hashed THEN PW hashed.

If you are setting up a login form where this user can login to PW, all you have to remember is you must sha256 the entered password, and use that in the $session->login call

Hope that is all clear

  • Like 3
Link to comment
Share on other sites


Can´t try it right now, but I understand it and it seems quite clear. I was having headaches thinking about possible weird solutions, like using two different passwords for each user (probabily not doable).

Maybe later, when coding it, I'll have some doubts but I see the way to do it.

Thank you very much.  :D

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By Lewis Newson
      Hi All,
      Im working on streamlining my email sending setup for SMTP. I have a page where the user of the website can input the SMTP host, port, connection type email and password etc but the password field has an additional box underneath it for 'Confirming' it as if it were a new password. The placeholder text also says 'New Password' but I want to be able to change that. I just need an input field where they can enter their SMTP password without it being plain text.
      Thanks for your help!
    • By Tyssen
      I have a client who is reporting that in the last couple of days they can no longer login to their site with their normal browser (Chrome). Using another browser or an incognito window works.
      I've tried logging into the site using the same login details in my usual browser (Firefox) and have had no problems.
      The site is a membership site and today other members are reporting the same problem.
      The site is running 3.0.148 and has the session handler DB and login throttle modules installed. It was recently upgraded to 3.x from 2.x. But no changes have been made to the site between the time when they were able to login OK and when the problem started happening.
    • By anttila
      We are developing an App that sends data over the Internet to ProcessWire (POST/JSON). We want password to be protected somehow when sending it, but I should be able to compare it to PW's passwords. We were thinking of using md5 encryption, but PW uses different encryption.
      How can I be sure that user has active account when they use the App?
    • By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.  
    • By AndZyk
      can somebody tell me, if it is possible to get the clear password of an InputfieldPassword inside a module, before it is encrypted?
      I have made a custom module which sets the password of an Auth0User after the hook publishReady with a random generated password. When I try to get a clear password from a InputfieldPassword in this hook, it is of course already encrypted (which is of course good). But is there a hook before the encryption, so I could get it one time to send it to Auth0?
      If there is not such thing, could be another possibility to add a jQuery script to get the value directly from the DOM and save it somewhere temporarily?
      I know this might be an unusual question, but I would appreciate any feedback. 
      Regards, Andreas
  • Create New...