Magento 1 – Compare MD5 Password to Magento Salted Password

magento-1passwordSecurity

i'm facing an issue, some of you may help me find a clue ?

i have password, that come from an external source. allready md5 applied on it

$external_password_md5;

what i'm trye to achieve is to compare that external password, with magento stored one

$magento_password = Mage::getModel("customer/customer")
                        ->setWebsiteId(Mage::app()
                        ->getWebsite()
                        ->getId())
                        ->loadByEmail($email)
                        ->getPasswordHash();

for as same email, external_password_md5 and magento password are relative the same inputed string (thay match in plain text), but i can't managed to get the two compared.

The fact is, that magento uses for password crypt this kind of code

 $magento_password = md5($salt.$password).':'.$salt;

even if I have the $salt, my external_password is allready md5, so applying magento way on allready md5 password won't give anything.

Has anyone an idea how to achieve a comparaison that works ?

"pseudo code"

if ($external_password_md5 == $magento_password)

Best Answer

That's impossible by design unless you have the password in plain text (for example when a user tries to login)

Hash functions are irreversible. For md5 there are so called rainbow tables, i.e. lists of hashes for words and common passwords, so in some cases you could find out the password. But for strong passwords it's impossible.

Also note that the fact that you can create collisions for md5 hashes does not help in your case because if two strings have the same md5 hash, they will not have the same md5 hash if a salt is added.

Related Solutions

Magento – Magento admin password reset using md5, why

The encryption key is used for encryption and decryption, not for hashing.
The user and admin passwords are just hashed.
See how Mage_Admin_Model_User::_beforeSave works.

$data['password'] = $this->_getEncodedPassword($this->getNewPassword());

if you dig deeper into _getEncodedPassword you will find this:

protected function _getEncodedPassword($password)
{
    return Mage::helper('core')->getHash($password, 2);
}

Going deeper and deeper you end up on this method for CE:

public function hash($data)
{
    return md5($data);
}

and on this for EE.

public function hash($data, $version = self::HASH_VERSION_LATEST)
{
    if (self::HASH_VERSION_MD5 === $version) {
        return md5($data);
    }
    return hash('sha256', $data);
}

As for the reason "why" is done this way...I guess it just how it is.
The only reason I can think of is portability. You can transfer customers and admins from one instance to an other and the passwords will still work.

Existing Customer Import with MD5 Hashed Password in Magento 1.8

THIS ANSWER APPLIES TO MAGENTO 1

You do not need to modify Magento's authentication classes. You can import passwords already MD5 encrypted. I have tested this.

How Magento 1 CE stores passwords:

Password chosen by user: Foobar!
Salt random generated by Magento: 2sM0lWnxa
Password before MD5 encyption: 2sM0lWnxaFoobar! (that is <salt><password>)
Password in MD5 encryption: b55bd20f0ef25e759dc77b09fe7e4dfd
Password stored in database: b55bd20f0ef25e759dc77b09fe7e4dfd:2sM0lWnxa (that is <md5 password>:<salt>)

How to format already MD5 encrypted password for import (without salt):

Simply add a : (colon) to the end of the already MD5 encrypted password

How does this work?

We can see that Magento looks for a : (colon) in the string, and assumes what comes after it is the salt. If you place a : (colon) at the end of your already encrypted password and then nothing further, Magento will realise that there IS no salt for that password.

Getting the password into Magento

Alright, so now we know what we need to do to our passwords, how do we get them into Magento? Normally Magento will automatically encrypt a password you give it, but in our case we DON'T want it to because it's already done.

Turns out, this is simple too! When creating, or updating an existing customer by code you normally use this to set their password:

$customerModel = Mage::getModel("customer/customer");
// ... further code here to create customer (or update existing customer) ...
$customerModel->setPassword("Plain Text Password");
$customerModel->save();

Instead of using the setPassword method on Customer Model, use setPasswordHash:

$customerModel->setPasswordHash("<md5 encrypted password>:");

Best Answer

Related Solutions

Magento – Magento admin password reset using md5, why

Existing Customer Import with MD5 Hashed Password in Magento 1.8

THIS ANSWER APPLIES TO MAGENTO 1

Related Topic