[SOLVED] Trying to Verify Current Password CB field against Joomla user password

I am trying to create a trigger which will verify that the user has entered the correct current password for their account before updating a new password. To do this I have created a cb user field titled ‘cb_currentpass’ and my plan is to trigger it to verify the value matches the joomla user password.

The problem that I have found is that the version of Joomla that I am using is not saving the user passwords with a salted, hashed and md5 encrypted value. Rather, the password saved in the database looks more like this:

$P$DzLyqLU1RaXHyqAtR5JJSLleP76d7y/

I have looked into this password and it appears to be the new dcrypt method that Joomla is now using. I have tried a handful of ways to find out how Joomla creates this value, but no luck. So my first question is can you explain how I can take the plaintext value and get the new style password?

My second question is whether or not there is an easier way to approach this issue. I have not seen any such plugin, but I figured I would ask as you may have some type of plan in mind to validate a current password prior to updating the profile. Thank you for the help in this research.

I am trying to create a trigger which will verify that the user has entered the correct current password for their account before updating a new password. To do this I have created a cb user field titled ‘cb_currentpass’ and my plan is to trigger it to verify the value matches the joomla user password.

Is there any specific reason you need this? Joomla already handles password matching on login, etc.. It seams redundant to have to double check this. Also no there is no way to do this with a Conditional in an action. You need to call CB user object or Joomla API to validate a password. it is impossible to do a direct comparison due to encryption (very good thing). If you have a CB user object then the below for example will validate a password (returning true or false).

So my first question is can you explain how I can take the plaintext value and get the new style password?

Edit the user, add the plaintext password to their password field, then save the user. That's the absolute most easy way to do it.

The reason I have to do this is because of a client's requirements. Here is a screenshot of what they are after:

The idea is that when the user enters a value into the current password field I will either have an AJAX script fire onBlur event and check the value matches in order to allow the password to be updated by the user. Either that, or before the profile is updated the check will take place using CB Auto Actions.

Ultimately I need a way to take the plaintext password and turn it into Joomla's format for password encryption. In the past I could do something like this to achieve this goal:
The problem is that Joomla no longer seems to create passwords in this fashion. So my question is how are Joomla passwords now generated?

You can generate a Joomla password from plaintext using a function call on a CB user object. Example as follows.


With my above reply you can also verify a plaintext password.

I believe I am getting closer to understanding this. When I run the following script I get a hashed value of 123456

The value reads as:

$P$D9tQZwh3z/ujaehC2Mh7dy8t6ayvDS0

Now, when I look at the password that is stored for a user with a 123456 password, it looks like this:

$P$D6x5Ydgjjcq/T2Z.p0ghEcjQSOYb3H0

Why don't they match?

Wow... it even gets crazier in that every time I refresh the script I get a different value. How can I possibly match it this way?