Magento CE 1.8 Password Storage Security

ce-1.8.0.0Security

CE 1.8 inherits from EE 1.13 and lists as a change:
“The cryptographic methods used to store passwords were improved to enhance security”

As far as I know, earlier versions used APR1 which is a 1000 iteration loop of MD5 with a 32-bit salt, then encodes the 128-bit result in 6-bit chunks to a text readable format using a fixed 64 entry array of printable characters.

How has this changed in the new versions? There does not seem to be any documentation with any details.

Best Answer

Community Edition

In the old version (CE 1.7.0.2) magento hashed passwords with md5 and a 2 char salt. No iterations, just one hashing.

With 1.8 the method changed ... a little bit. They changed the salt lentgh from 2 to 32. The method is still bad.

Enterprise Edition

The enterprise edition does nearly the same. The difference is (before 1.13!) they use sha256(). I don't know what they use in 1.13

Advertisement for PBKDF2

If you want to hash the user passwords in a better way, you can install my module: https://github.com/ikonoshirt/pbkdf2

It uses PBKDF2 for hashing password.

Related Solutions

Configuration – System Config Tab Not Showing in CE 1.8

A tab does not appear if you don't have sections in it (most probably).
Add a section with at least a group and a field in it.
[EDIT] Here is my system.xml that worked:

<?xml version="1.0"?>
<config>
    <tabs>
        <test_module translate="label" module="test_module">
            <label>Test Module</label>
            <sort_order>999</sort_order>
        </test_module>
    </tabs>
    <sections>
        <test_module translate="label" module="test_module">
            <label>Test</label>
            <tab>test_module</tab>
            <frontend_type>text</frontend_type>
            <sort_order>400</sort_order>
            <show_in_default>1</show_in_default>
            <show_in_website>1</show_in_website>
            <show_in_store>1</show_in_store>
            <groups>
                <settings translate="label">
                    <label>Settings</label>
                    <frontend_type>text</frontend_type>
                    <sort_order>10</sort_order>
                    <show_in_default>1</show_in_default>
                    <show_in_website>1</show_in_website>
                    <show_in_store>1</show_in_store>
                    <fields>
                        <enabled translate="label">
                            <label>Enabled</label>
                            <frontend_type>select</frontend_type>
                            <source_model>adminhtml/system_config_source_yesno</source_model>
                            <sort_order>10</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>1</show_in_store>
                        </enabled>
                    </fields>
                </settings>
            </groups>
        </test_module>
    </sections>
</config>

Magento – password protection

You can write a small custom extension that checks if the user has permission to access the site.

Your config.xml would look something like this

<?xml version="1.0"?>
<config>
   <modules>
      <[Namespace]_[Module]>
         <version>1.0.0</version>
      </[Namespace]_[Module]>
   </modules>
   <global>
      <models>
         <[module]>
            <class>[Namespace]_[Module]_Model</class>
         </[module]>
      </models>
      <events>
         <controller_front_init_before>
            <observers>
               <[namespace]_[module]_access_observer>
                  <type>singleton</type>
                  <class>[Namespace]_[Module]_Model_Observer</class>
                  <method>checkAccess</method>
               </[namespace]_[module]_access_observer>
            </observers>
         </controller_front_init_before>
      </events>
   </global>
</config>

And your observer class something like this

class [Namespace]_[Module]_Model_Observer
{
   public function checkAccess()
   {
      $adminurl = (string)Mage::getConfig()->getNode('admin/routers/adminhtml/args/frontName');

      $urlstring = Mage::helper('core/url')->getCurrentUrl();
      $url = Mage::getSingleton('core/url')->parseUrl($urlstring);

      if (strstr($url->path, "/{$adminurl}"))   return $this; // this is the admin section

      // get admin session
      Mage::getSingleton('core/session', array('name' => 'adminhtml'))->start();

      $admin_logged_in = Mage::getSingleton('admin/session', array('name' => 'adminhtml'))->isLoggedIn();

      // return to frontend section
      Mage::getSingleton('core/session', array('name' => 'frontend'))->start();

      if (!$admin_logged_in)
      {
         die('No access!');
      }
   }
}