lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi all,

I'm very pleasure to announce that Lua implementation of the portable
PHP password hashing framework is avaliable.

Installation: luarocks install phpass
Dependencies: LuaCrypto
License: MIT

phpass (pronounced "pH pass") is a portable public domain password
hashing framework for use in PHP applications [1]. phpass has been
integrated into WordPress, bbPress, Vanilla, PivotX, Chyrp, Textpattern
and concrete5.

This Lua module implements a subset of phpass (iterated MD5). It's
sufficient to create and check a password hash compatible with portable
phpass hash, e.g. a password from wordpress database. Blowfish-based
bcrypt and BSDI-style extended DES-based hashes are not supported.

The code was tested against Lua 5.1, 5.2 and LuaJIT 2.0, 2.1.
LuaCrypto fails to build against Lua 5.3.


    phpass = require 'phpass'
    password = 'test12345'
    hash = phpass.hashPassword(password)
    --> "$P$EYyDnrNHtS2MG5vTVkvXD6wMnd0C/N/"
    phpass.checkPassword(password, hash) --> true
    phpass.checkPassword('other password', hash) --> false


Python-phpass, python implementation of phpass [2] was used as a reference.

The algorithm used in phpass.hashPassword generates random salt, so
this function returns different hashes for a password.

phpass.hashPassword has second argument, count_log2, which is log2 of
number of iterations. The algorithm of hashing is as follows:

    count = 2 ^ count_log2
    salt = ...
    hash = md5(salt .. password)
    for i = 1, count do
        hash = md5(hash .. password)



Best regards,
Boris Nagaev