Magento – Magento admin password reset using md5, why

ce-1.7.0.2ee-1.13.1.0encryption-keypassword

I was surprised that we can access to admin backend resetting admin user password with md5.

UPDATE `admin_user` SET `password` = MD5('anyword') WHERE `admin_user`.`user_id`= 1;

This is some kind of Magento feature or vulnerability? Why password is not depend on encryption key in local.xml?

Best Answer

The encryption key is used for encryption and decryption, not for hashing.
The user and admin passwords are just hashed.
See how Mage_Admin_Model_User::_beforeSave works.

$data['password'] = $this->_getEncodedPassword($this->getNewPassword());

if you dig deeper into _getEncodedPassword you will find this:

protected function _getEncodedPassword($password)
{
    return Mage::helper('core')->getHash($password, 2);
}

Going deeper and deeper you end up on this method for CE:

public function hash($data)
{
    return md5($data);
}

and on this for EE.

public function hash($data, $version = self::HASH_VERSION_LATEST)
{
    if (self::HASH_VERSION_MD5 === $version) {
        return md5($data);
    }
    return hash('sha256', $data);
}

As for the reason "why" is done this way...I guess it just how it is.
The only reason I can think of is portability. You can transfer customers and admins from one instance to an other and the passwords will still work.

Best Answer

Related Solutions

Magento 1.9 Security – Disable Asking for Current Admin Password When Changing Password

Magento – Admin updated user passwords not working after upgrade (Magento 1.7 -> 1.9)

Related Topic