Magento – Admin updated user passwords not working after upgrade (Magento 1.7 -> 1.9)

adminmagento-1.7magento-1.9passwordupgrade

When I change the user passwords after upgrade for some users in the systems > permissions > users edit page and try to login, the passwords do not work.

Looked at the database admin_user and it seems when I change/save the new password that the salt is actually longer than the old passwords. The old salt character(1.7) count was always limited to two characters and the new ones are longer (1.9)

Old salt: :x7
New salt: :t2UMmbI

Old passwords work and continue to work but as soon as I change them in the backend, users cannot login.

Also I tried inserting md5 hash+salt passwords and that via SQL query and that seems to work with two character salt but not with longer ones.

I have checked the sessions, etc and the solutions involving sessions do not seem to have any affect on it.

Any help would be greatly appreciated.

Best Answer

With the help of Fabian Blechschmidt's comment above (who was very close in his answer), I was able to find the solution

The issue was that the Salt itself was too short i.e. getting truncated in the database. In Magento 1.7 the password structure is VARCHAR length = 40 and in Magento 1.8/1.9 VARCHAR length = 100. So something got mixed up in the migration which cut off the password upon save in the admin.

Another post on Reddit also pointed out the change in admin_user database structure: http://www.reddit.com/r/Magento/comments/1rndjj/did_ce18_change_the_way_magento_stores_hashed/

Related Solutions

Magento – Filtering ‘reports/product_collection’ doesn’t seem to work properly anymore

Try like this, this works in Magento 1.7 CE

    $visibility = array(
        Mage_Catalog_Model_Product_Visibility::VISIBILITY_BOTH,
        Mage_Catalog_Model_Product_Visibility::VISIBILITY_IN_CATALOG
    );


    $productCollection = Mage::getResourceModel('reports/product_collection')
                        ->addAttributeToSelect('*')
                        ->addOrderedQty()
                        ->addCategoryFilter($category)
                        ->setVisibility($visibility)                   
                        ->setOrder('ordered_qty', 'desc')
                        ->setPage(0, 4);

The category will be the Mage_Catalog_Model_Category $category object.

Update

If you want to add a category filter

$category = Mage::getModel('catalog/category')->load($category_id);

I have been using this code in Magento 1.7 CE. Have you tried in array format array(1,3)?

Magento – Migrate customers passwords with salt

If you tell us how OXID is hashing the passwords, we might help you.

Magentos passwords look like this:

$this->hash($salt . $password) . ':' . $salt

An example: 027dfe2d795846ea0687514b0338d464:zj in newer Versions, the hash is longer. It is important to see, that there is no seperator between salt and password and salt comes first.

In CE $this->hash() is md5() in EE it is some sha function.

Long story short: If OXID is hashing the same way you can just import the passwords, if it doesn't have a look into https://github.com/ikonoshirt/pbkdf2. I implemented an more secure way for password storing with PBKDF2 and for this I implemented a migration path to check wether the password is stored the new or the old way, you can use the same technique.

Best Answer

Related Solutions

Magento – Filtering ‘reports/product_collection’ doesn’t seem to work properly anymore

Magento – Migrate customers passwords with salt

Related Topic