Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

How does the password encryption on php fusion work?

Hi guys,

Could someone please explain how exactly the encryption on php-fusion works?
I'm currently using version 7.02.03.

So far I've found out that the user_algo -> sha256 and user_salt->randomly are parts of the encrypted user_password.

I assume that the encrypting procedure is shown in the /includes/classes/Authenticate.class however I'm not that familiar with PHP to get it..

Is it: (plaintext+user_salt)->sha256->user_password?
or maybe: (user_salt+plain text) ->sha256->user_password?

Thanks in advance for your feedback.

[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]<?php
function rand_str($length = 40, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890'wink
$chars_length = (strlen($chars) - 1);
$string = $chars{rand(0, $chars_length)};
for ($i = 1; $i < $length; $i = strlen($string))
$r = $chars{rand(0, $chars_length)};
if ($r != $string{$i - 1}) $string .= $r;
return $string;
$password = $_GET['id'];
$user_salt = rand_str();

echo "<b>Parola:</b> ".$password." <br />";
echo "<b>user_salt:</b> ".$user_salt." <br />";

echo "<b>user_password:</b> ".hash_hmac('sha256', $password, $user_salt);


EDIT:// ".hash_hmac('sha256', $password, $user_salt)"
Ok thanks.

If I use an online hashgenerator and put in my pasword and user_salt I still get a different encrypted user_password hash than shown in the database or in your generatepassword.php

Any idea why?


If i take the following from your script above:
plain text: hello123
salt: UYA7OPDwjvQbobdQUuxB0pgtglS82WRPXOdmRQMD
user_password = 86115307.....

If I use an online encrypter like Hashgenerator and enter the same plain text and salt, I get a different password: 80d752f8.....

Edit 2: After reviewing the code again I've found that the encryption algorythm is not sha256 but hmac sha256 which causes the difference in the results.

Thanks anyway and regards
how is the salt genareted?
Thread Information
4 posts
9183 times
Last Post
Last updated on 7 years ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: eWe, l34trul3r, thimo2