I was surprised that we can access to admin backend resetting admin user password with md5.
UPDATE `admin_user` SET `password` = MD5('anyword') WHERE `admin_user`.`user_id`= 1;
This is some kind of Magento feature or vulnerability? Why password is not depend on encryption key in local.xml?
Best Answer
The encryption key is used for encryption and decryption, not for hashing.
The user and admin passwords are just hashed.
See how
Mage_Admin_Model_User::_beforeSave
works.if you dig deeper into
_getEncodedPassword
you will find this:Going deeper and deeper you end up on this method for CE:
and on this for EE.
As for the reason "why" is done this way...I guess it just how it is.
The only reason I can think of is portability. You can transfer customers and admins from one instance to an other and the passwords will still work.