« Load Balancer Update
NYC at Night photoblog »
h1

mod_auth_mysql and phpass

May 19, 2008

With the release of WordPress 2.5, there were some significant changes to the way passwords were stored in the database.  Prior to 2.5, passwords were stored as MD5 hashes.  While simple and easy, there were some security implications, so since 2.5, passwords are now salted and hashed using the phpass encryption library.  At Automattic we like to keep things simple, so we use the WordPress and bbPress user system for external authentication for things such as Trac and Subversion.  This allows us an effective and simple single sign on (SSO) solution for almost everything we do.  Unfortunately, the existing mod_auth_mysql apache module did not have support for the new password format.

Thanks to Nikolay, we now have the best of both worlds.  He has patched mod_auth_mysql to support phpass.  This means you can now have plug and play authentication against your WordPress blog or bbPress forum almost anywhere you can think of.  The patch allows automatic fallback to MD5 in case the user has not yet logged into WordPress and their password is still stored in the old format.  

Once the new module is loaded, you will just need to replace the following line in your apache configuration file.

OLD:AuthMySQLPwEncryption md5
NEW:AuthMySQLPwEncryption phpass

You can download the patched version here. It has been tested with Apache 2.2.3 and MySQL 4.1/5.0

Possibly related posts: (automatically generated)

Posted in software | Tagged |

15 comments

  1. [...] mod_auth_mysql and phpass [...]

         by Ma.tt » WordPress + mod_auth_mysql May 19, 2008 at 12:43 pm

  2. 2 words: bad ass.

         by Beau May 19, 2008 at 2:40 pm

  3. I wrote the patch that added phpass to WordPress and this is pretty cool news. Always good to see more support.

         by James May 19, 2008 at 4:26 pm

  4. [...] mod_auth_mysql and phpass, a new patch that allows Apache authentication (for Subversion, Trac, enterprise integration systems) to work with the new WordPress secure password storage. Powered by Bookmarkify™ Tags: word press [...]

         by JERSEY-BARKER » Blog Archive » Matt: WordPress + mod_auth_mysql May 19, 2008 at 7:37 pm

  5. Nice, I was just thinking about how to integrate Trac/SVN/BBpress/WordPress on one site. Having a single sign on will be a killer feature for this setup.

    Do you have a short howto or description of how this is configured for the different components?

         by Oyvind May 20, 2008 at 4:01 am

  6. Is there also a patch for Nginx, or will it use the Apache mod_auth_mysql module?

         by chewy22222003 May 20, 2008 at 10:52 am

  7. Damn - another thing to play with instead of doing the work I’m supposed to be doing!

         by Dave Coveney May 21, 2008 at 10:07 am

  8. [...] Patch: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage [...]

         by WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News : The Blog Herald May 21, 2008 at 1:30 pm

  9. [...] Patch: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage [...]

         by WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News | Writing & Blogging Info May 23, 2008 at 7:57 am

  10. [...] mod_auth_mysql and phpass Keep things simple with WordPress and bbPress by using a simple single sign on (SSO) solution which authenticates users against the WordPress user system. This updated mod_auth_mysql apache module has support for the new WordPress password format. [...]

         by Scott Jarkoff :: mod_auth_mysql and phpass May 27, 2008 at 2:40 am

  11. interestingly!

         by trance May 28, 2008 at 1:28 pm

  12. [...] Secure Storage: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage [...]

         by WordPress Wednesday News: WordPress 5 Years Old, WordCamps International, WordPress 2.6 On Track, Plugin Competition is Hot, Genko Updated : The Blog Herald May 28, 2008 at 7:42 pm

  13. [...] so, the nice folk at Automattic (makers of fine blogging software like WordPress) have released a patched version that works with [...]

         by Colin Charles Agenda » Blog Archive » mod_auth_mysql patched to work with phpass June 1, 2008 at 2:44 am

  14. [...] mod_auth_mysql and phpass « Barry on WordPress [...]

         by J’s blog » Blog Archive » Catching up again… June 8, 2008 at 6:58 am

  15. This is awesome indeed — how about a Win32 build?

         by Jud June 26, 2008 at 6:12 pm

Leave a Comment