I'm surprised this question isn't being asked more often! The PayPal docs are HORRIBLE for this!
The answer to your question is that the password hashes for PayPal's subscription/recurring payments are 13 character unix-style DES hashes (which I think is provided in base64.) In PHP you can use the "crypt" function to produce this hash, and in mysql you can use the des_encrypt function to produce it. That's not all though. PayPal uses the first 2 characters from the hash as a salt. I'm not sure how they do this, since it's kind of a "chicken and the egg" issue, but here's an example/proof:
echo "The actual password for a subscription, provided by PayPal: ore9gatexE<br>";
echo "The hash that PayPal provided me with: xEDmQW52fNRIU<br>";
echo "Your hash: " . crypt("ore9gate", "xE");
At this point my problem is that MySQL's des_encrypt() function (which works just like 'crypt' above for what we're doing,) outputs a binary hash instead of a string. This means I can't use it to compare hashes with the ones PayPal provides, unless I come up with my own conversion method!
I had to experiment and HUNT for all of this information... Now, I think I either need to use a proprietary base64 mysql function to convert the binary hash to a string, or I need the opposite, to store the PayPal hashes as binary in my database in the first place.
Hopefully this will save many others a lot of grief!
tyoung !at! stalwart -dot- ca