Joomla passwords are MD5 hashed, but the passwords are salted before being hashed. They are stored in the database as {hash}:{salt}this salt is a random string 32 characters in length.

Joomla 密码是 MD5 散列的，但密码在散列之前是加盐的。它们存储在数据库中，因为{hash}:{salt}该盐是一个长度为 32 个字符的随机字符串。

So to create a new password hash you would do md5($password.$salt)

所以要创建一个新的密码哈希，你会这样做 md5($password.$salt)

EDIT

编辑

Okay so for checking a password, say a user myguyenters the password mypassword, you would retrieve the row from the database that has username myguy.

好的，所以为了检查密码，假设用户myguy输入密码mypassword，您将从具有 username 的数据库中检索行myguy。

In this row you'll find a password say 4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT. You split up the password hash and the salt:

在这一行中，您会找到一个密码，例如4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT。您将密码哈希和盐分开：

$hashparts = preg_split (':' , $dbpassword);
echo $hashparts[0]; //this is the hash  4e9e4bcc5752d6f939aedb42408fd3aa
echo $hashparts[1]; //this is the salt  0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT

now calculate the hash using this salt and the password myguyentered

现在使用此盐和myguy输入的密码计算哈希

$userhash = md5($userpassword.$hashparts[1]); // This would be 'mypassword' and the salt used in the original hash

Now if this $userhashand $hashparts[0]are identical the user has entered the correct password.

现在，如果这$userhash和$hashparts[0]相同，则用户输入了正确的密码。

From joomla Forum, that's what happen behind:

从 joomla 论坛，这就是后面发生的事情：

A. Generate a password
B. Generate a string with 32 random characters
C. Concatenate Password (Step A) and RandomString (Step B)
D. Take md5(Result of Step C)
E. store Step D Result : Step B Result

Example:

例子：

Generate a password - Let 'testing'
Generate a string of 32 random characters - 'aNs1L5PajsIscupUskaNdPenustelsPe'
Concatenate Password and random string - testingaNs1L5PajsIscupUskaNdPenustelsPe
md5(Step C Result) - 5cf56p85sf15lpyf30c3fd19819p58ly
store step d:step B - 5cf56p85sf15lpyf30c3fd19819p58ly:aNs1L5PajsIscupUskaNdPenustelsPe

You can find code in Joomla like

您可以在 Joomla 中找到代码，例如

$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword("testing", $salt);
$password = $crypt . ':' . $salt;

Or We can Say

或者我们可以说

password DB field = md5(password + salt) + ":" + salt 

Where salt is random 32 char string.

其中 salt 是随机的 32 个字符字符串。

thanks

谢谢

In joomla standard you can create password using the following way

在 joomla 标准中，您可以使用以下方式创建密码

                     jimport('joomla.user.helper');
             $salt = JUserHelper::genRandomPassword(32);
             $crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
             $password = $crypt.':'.$salt;

you mention that you are accessing from external file(or programs) then if you have joomla installation on other side you can access it from outside the joomla structure.

您提到您正在从外部文件（或程序）访问，那么如果您在另一端安装了 joomla，则可以从 joomla 结构外部访问它。

using joomla default frame work like this

使用 joomla 默认框架像这样工作

define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

I couldn't use preg_splitbut explodeworks well.

我无法使用preg_split但explode效果很好。

$hashparts = explode (':' , $dbpassword);

From the joomla source file libraries/joomla/crypt/password/simple.php there are multiple ways they get stored, and some do not have a ':' character.

从 joomla 源文件 libraries/joomla/crypt/password/simple.php 有多种存储方式，有些没有 ':' 字符。

    switch ($type)
    {
        case 'a$':
        case JCryptPassword::BLOWFISH:
            if (JCrypt::hasStrongPasswordSupport())
            {
                $type = 'y$';
            }
            else
            {
                $type = 'a$';
            }

            $salt = $type . str_pad($this->cost, 2, '0', STR_PAD_LEFT) . '$' . $this->getSalt(22);

            return crypt($password, $salt);

        case JCryptPassword::MD5:
            $salt = $this->getSalt(12);

            $salt = '$' . $salt;

            return crypt($password, $salt);

        case JCryptPassword::JOOMLA:
            $salt = $this->getSalt(32);

            return md5($password . $salt) . ':' . $salt;


    }
}

Joomla! uses PhPass.

乔姆拉！使用PhPass。

root/libraries/phpass/PasswordHash.php

have a look here. you will see here how the password is generating.

看看这里。您将在此处看到密码是如何生成的。

The $2yis the default (and preferred) prefix on bcrypt hashes. As for code, you'll want to look inside JUserHelper'shashPasswordand verifyPasswordmethods to see how Joomla's working with things right now.

该$ 2Y是默认（和首选）前缀的bcrypt哈希值。至于代码，您需要查看内部JUserHelper'shashPassword和verifyPassword方法，以了解 Joomla 现在如何处理事物。

Some Referances -

一些参考资料——

https://github.com/joomla/joomla-cms/blob/3.4.1/libraries/joomla/user/helper.php#L296-L387

https://github.com/joomla/joomla-cms/blob/3.4.1/libraries/joomla/user/helper.php#L296-L387

https://docs.joomla.org/API15:JUserHelper/getCryptedPassword

https://docs.joomla.org/API15:JUserHelper/getCryptedPassword

https://docs.joomla.org/API15:JUserHelper/getSalt

https://docs.joomla.org/API15:JUserHelper/getSalt

Check the links, I hope you it will helpful :)

检查链接，我希望你会有所帮助:)

<?php
$r = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
$p = 'the_password';

$s = $p . $r;
$m = md5($s);

$out = $m . ':' . $r;
echo $out;

Len 16 because bin2hex doubles the character size, since 1 byte becomes 2 bytes

Len 16 因为 bin2hex 将字符大小加倍，因为 1 个字节变成了 2 个字节

Joomla "understands" the passwords with "normal" md5.

Joomla 使用“普通”md5“理解”密码。

What I've done in the past (to test a user's login), was to save the original password, encrypt a new one in md5, replace it in the database, test it with the browser (and it works) and when I was done, paste the original password in the database.

我过去所做的（测试用户登录）是保存原始密码，在 md5 中加密一个新密码，在数据库中替换它，用浏览器测试它（并且它可以工作）以及当我完成后，将原始密码粘贴到数据库中。

If you just use md5($password); it'll work, try it. Joomla has a mechanism and it can work with multiple types of passwords (including, as of late, strong passwords). You don't have to worry about the part after the colon. Just use md5($password) and it'll definitely work.

如果你只是使用 md5($password); 它会工作，试试吧。Joomla 有一个机制，它可以使用多种类型的密码（包括最近的强密码）。您不必担心冒号后面的部分。只需使用 md5($password) 就可以了。

By the way, this'll also work on Joomla 3.x.

顺便说一句，这也适用于 Joomla 3.x。