user password verification in php

[stefanfuhr]

Hi there,
I'm pretty new to php so bare with me on this one. Shop is working so far, no issues. I want to sell software with the ability of authorisation on the customers machine on payment success. Reading through my "orders" table and recognise if a customer has a successful payment on a specific product id seemed simple in php. But I can't just authorise a software based on the clients name and email address. So I need to create a login on the client software. For the validation of the login I need to verify the given password with the password stored in the "customers" table in the db. I see that along with the encrypted password is a "salt" stored in the table, which I understand plays a role in the decryption.

What is the method to verify the given password with the encrypted password and the salt?

I'm using the $_POST method to receive the data from the client software, if that is of any relevance.

[stefanfuhr]

Looks like I found the solution myself. If smoeone else comes across this problem here it is:

Found the algorithm used for password encryption in:

core/lib/customer.php

in the form of SQL:

password =    SHA1(CONCAT(salt,
                        SHA1(CONCAT(salt, SHA1('".$this->db->escape($password)."')))

And translated that to php:

$passwordhash = sha1($salt.sha1($salt.sha1($password)));

Looks like it works!

Not sure if the double salt and tripple sha1 hashing makes it more secure. Came across some "sha1 or md5 is not recommended for password hashing" statements during my research.

Does someone here have an educated opinion about this?
Thanks