Magento – Magento 2 SHA1 Password is not Accepting after Migration

data-migrationmagento-1.9magento2

I have Migrated Magento 1.9.1.0 website in Magento 2.2.4,all data is migrated successfully.

When I am trying to login from front-end with existing old customer(Magento1)
it generating error

"You did not sign in correctly or your account is temporarily disabled."

While it is working fine for Newly creating customers in Magento 2.

I have debugged in Database customer_entity table and found that old Magento 1 was using SHA1 for password hashing and its length is "40" + salt = 73 character.Since magento 1 default using MD5 technique but in our Magento code old developers override core file and changed below code

class CD_Core_Model_Encryption extends Mage_Core_Model_Encryption
{
    /**
     * Hash a string
     *
     * @param string $data
     * @return string
     */
    public function hash($data)
    {
        return sha1($data);
    }
}

Hence all passwords in Magento 1 saved in SHA1 format.

passwords are after migrated

6de015050ee16e5451019072f77f2bf50c3c02bc:VLAyPWtkZsHa00UMCWrFNtJ1ARoBp4Wc

Above password are not accepted in Magento 2 when login

Please help anybody how to support SHA1 password in Magento 2.

Best Answer

I think you are aware of possible solutions But let me clarify it:

Solution 1: Easy Quick Solution

what alan Storm Suggested:-

Ask your customer to change password by sending them reset password link.
Reset all Password Manually or by script & send them.

How you can do that: (put in root folder & run script for send password reset link to all customers)

include('app/bootstrap.php'); // add bootstrap file

use Magento\Framework\App\Bootstrap;
use Magento\Customer\Api\AccountManagementInterface;
use Magento\Customer\Model\AccountManagement;

$bootstrap = Bootstrap::create(BP, $_SERVER);
$objectManager = $bootstrap->getObjectManager(); 

$state = $objectManager->get('Magento\Framework\App\State');
$state->setAreaCode('frontend'); 

$_customers = $objectManager->create('Magento\Customer\Api\AccountManagementInterface');
$customerCollection = $objectManager->create('Magento\Customer\Model\ResourceModel\Customer\Collection');
$customerCollection->load();   // get customers
$i = 0;
foreach ($customerCollection as $customers) {

    $email = $customers->getData('email');

    try {
            $_customers->initiatePasswordReset($email, AccountManagement::EMAIL_RESET);
        } catch (NoSuchEntityException $e) {
            // Do nothing, we don't want anyone to use this action to determine which email accounts are registered.
        } catch (\Exception $exception) {
            echo __('We\'re unable to send the password reset email.');
        }
        echo "<pre>";
        echo $i . " Email :-" . $email . " Mail Sent";

    $i++;
}

Solution 2. ( Not Recommended but also work)

Hash algorithm can not change from one to another (md5 to sh1/sh2). Magento2 doesn't support SHA1 (deprecated)

Hashing algorithms are one-way i.e. They cannot be reversed unlike Encryption-Decryption algorithms.

you can't get back string(password) But you can check same hash value by brute force.

Magento 1.x has stored password similar to

password =353dc2ba6108461cf3468184bdd0e174:LM => md5($password.$salt):salt.

Pseudo code

if( md(5) [password [1].userenteredpasswd])==password [0])
{
# User Authenticated
}

in your case

6de015050ee16e5451019072f77f2bf50c3c02bc:VLAyPWtkZsHa00UMCWrFNtJ1ARoBp4Wc

sh1(md5($password.$salt)):sha1(salt)

As Magento2 store in this way

5ca6a208eba1be74251419d22399925c01fbe36f72c5b472d110c40c119b8709:QTwASvDZV6kKPNCl8eHZGZfF1U8NaoRB:1

hash('SHA-256', $salt . $password):$salt:1

Hash Value:(random 32 bit character):(Hashing algorithm version default:1)

MD5 produces 128 bit(16 byte) hash value(supported by magento 1.x , 2.x).
SHA-1 produces 160 bit hash value.
SHA-2(SHA-256) produces 256 bit hash value(supported by magento 2.x).

What you have to do now: authenticate users by extra step and also save in similar manner.

Pseudo code

if( sh2(sh1(md(5) [password [1].userenteredpasswd])))==password [0])
    {
    # User Authenticated
    }

Want to change in core files to support SHA1?

it's hashing password and encrypt/decrypt library using cryptographic algorithms. https://github.com/magento/magento2/blob/2.2-develop/lib/internal/Magento/Framework/Encryption/Encryptor.php

or

write a plugin for extra authenticate step

for \Magento\Customer\Api\AccountManagementInterface::authenticate(). check this https://github.com/magento/magento2/blob/2.2-develop/app/code/Magento/Customer/Api/AccountManagementInterface.php

Related Solutions

Magento – Admin updated user passwords not working after upgrade (Magento 1.7 -> 1.9)

With the help of Fabian Blechschmidt's comment above (who was very close in his answer), I was able to find the solution

The issue was that the Salt itself was too short i.e. getting truncated in the database. In Magento 1.7 the password structure is VARCHAR length = 40 and in Magento 1.8/1.9 VARCHAR length = 100. So something got mixed up in the migration which cut off the password upon save in the admin.

Another post on Reddit also pointed out the change in admin_user database structure: http://www.reddit.com/r/Magento/comments/1rndjj/did_ce18_change_the_way_magento_stores_hashed/

Magento – Migrate customers passwords with salt

If you tell us how OXID is hashing the passwords, we might help you.

Magentos passwords look like this:

$this->hash($salt . $password) . ':' . $salt

An example: 027dfe2d795846ea0687514b0338d464:zj in newer Versions, the hash is longer. It is important to see, that there is no seperator between salt and password and salt comes first.

In CE $this->hash() is md5() in EE it is some sha function.

Long story short: If OXID is hashing the same way you can just import the passwords, if it doesn't have a look into https://github.com/ikonoshirt/pbkdf2. I implemented an more secure way for password storing with PBKDF2 and for this I implemented a migration path to check wether the password is stored the new or the old way, you can use the same technique.

Best Answer

Related Solutions

Magento – Admin updated user passwords not working after upgrade (Magento 1.7 -> 1.9)

Magento – Migrate customers passwords with salt

Related Topic