CE 1.8 inherits from EE 1.13 and lists as a change:
“The cryptographic methods used to store passwords were improved to enhance security”
As far as I know, earlier versions used APR1 which is a 1000 iteration loop of MD5 with a 32-bit salt, then encodes the 128-bit result in 6-bit chunks to a text readable format using a fixed 64 entry array of printable characters.
How has this changed in the new versions? There does not seem to be any documentation with any details.
Best Answer
Community Edition
In the old version (CE 1.7.0.2) magento hashed passwords with md5 and a 2 char salt. No iterations, just one hashing.
With 1.8 the method changed ... a little bit. They changed the salt lentgh from 2 to 32. The method is still bad.
Enterprise Edition
The enterprise edition does nearly the same. The difference is (before 1.13!) they use
sha256()
. I don't know what they use in 1.13Advertisement for PBKDF2
If you want to hash the user passwords in a better way, you can install my module: https://github.com/ikonoshirt/pbkdf2
It uses PBKDF2 for hashing password.