Java password hashing converted to PHP

I am rebuilding a site using PHP that was originally done in Java. While rebuilding the user login page I found the following code that was used to make stored passwords safer. I am not sure exactly how to break down this code to determine how it was being hashed.
I believe the challenge phrase is being added just to the end of the password they type in and then hashed using MD5 but would like to see if someone here could tell me for sure so I won’t have to require all the users to reset their passwords when we implement the new system.
Thanks for any advice anyone can offer.

Snippet of the code currently in use:
if ( {
MD5 md = new MD5();
String challenge = “somerandomcharacters”;
byte outbytes = new byte[16];
String s = dbRes.getString(“password”) + challenge;
String pwhash = MD5.dumpBytes(outbytes);
if (!pwhash.equalsIgnoreCase(request.getParameter(“hash”)))
throw new Exception(“Invalid Username or password”);
} else {
throw new Exception(“Invalid Username or password”);

I don’t know anything about Java, but this looks curious to me :smiley:

if (!pwhash.equalsIgnoreCase(request.getParameter("hash")))
throw new Exception("Invalid Username or password");
} else {
throw new Exception("Invalid Username or password");

Anyway, if you want to know what that java code does, you’d better ask in a java forum. You might get an answer here, but in a java forum your changes are much better :slight_smile:

Ah, we have a java forum :slight_smile:

I’ll ask to have the post moved over there.

If I understand correctly, then:

$row = //query result
$challenge = 'somerandomcharacters';
$result = md5($row['password'] . $challenge,false); //the second parameter tells that you want hexadecimal output, not raw. Change it to true if Java function outputs data in raw format.
if(strtoupper($result) == strtoupper($_REQUEST['hash'])){
//password correct
else {
//password incorrect

Thanks! I’ll give that a try.