Page 1 of 1

phplist password encryption

PostPosted: 12:13pm, Wed 06 Aug, 2014
by libarymark
Hello -

We are using phplist to manage an email list for a public library. I would also like to use it's database to authenticate users who wish to store session data on our server using their email address. I did not want to write my own email credential manager.

I understand that the encryption phplist is using is sha256, but I could not make it work when trying to authenticate to the DB. Is there something going on with the encryption that I am missing? I am a mediocre PHP programmer, and while I looked over the code, it did not appear to me that there is any salt or such added to the password.

Can someone point me in the right direction?


Library Mark

Re: phplist password encryption

PostPosted: 1:13pm, Wed 06 Aug, 2014
by duncanc
It should be as simple as this, so long as the algorithm really is sha256. If you used user passwords in an earlier release of phplist then a different algorithm might have been used.

Code: Select all
hash('sha256', $password);

To confirm this, at a command prompt hash a password that you know and compare to the value stored in the database.
Code: Select all
 php -r "echo hash('sha256', 'mypassword');"

Re: phplist password encryption

PostPosted: 3:05pm, Sat 16 Aug, 2014
by libarymark
Thanks, duncanc! I don't know why I could not make that work but it does now.