Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

md5 and password encryption method


Guest

Recommended Posts

Posted

i see in the password_funcs.php file that OSC ads 2 random characters and then md5s the password. Can anyone tell me what the security benefit of this added step is? I am importing an old database, and tempted to simply check for either the new md5 method offered by OSC or my old plain md5'd passwords. Or is there a quick way to apply this new random encoding to 900 usernames in a MySQL database?

Posted
i see in the password_funcs.php file that OSC ads 2 random characters and then md5s the password. Can anyone tell me what the security benefit of this added step is? I am importing an old database, and tempted to simply check for either the new md5 method offered by OSC or my old plain md5'd passwords. Or is there a quick way to apply this new random encoding to 900 usernames in a MySQL database?

 

 

Remove the extra chars from password_funcs.php then.

 

I don't know how they manage to check passwords when they add random characters before encoding.. that really seems bizarre!

 

it (the login script, whatever) would have to know what the extra characters were in order to encode the password typed by the user to compare against the md5 hash.

 

So, look for where it figures that part out and you may be able to migrate.

 

Hope that helps.

  • 10 months later...
Posted

here is some SQL to convert a plain text password to an osc password:

 

CONCAT(

md5(CONCAT(substr(md5(txtPass), 0, 2), txtPass)),

':',

substr(md5(txtPass), 0, 2)

)

 

it is based upon this function from the password_funcs.php:

 

 

// This function makes a new password from a plaintext password.

function tep_encrypt_password($plain) {

$password = '';

 

for ($i=0; $i<10; $i++) {

$password .= tep_rand();

}

 

$salt = substr(md5($password), 0, 2);

 

$password = md5($salt . $plain) . ':' . $salt;

 

return $password;

}

  • 2 months later...
Posted

The two characters added are for creating the hash in such way that hash=md5(twocharactersPlainPassword)

ie:

2letters: 74

Plain Password: PaSs

hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74

 

I don't see this "salt" added as a security improvement since md5 is already cracked and the salt is stored in the database son it's not part of a shared secret.

  • 1 year later...
Posted

I have this project where usernames must be NOT unique, so in the first query in login.php I had to select *one* row from customers where _username and _password match.

 

To do this, I had to modify tep_encrypt_password() and tep_validate_password() in includes/classes/functions/passwd_functions.php so they had no salt on the hash.

 

 function tep_validate_password($plain) {
return true;
 }

////
// This function makes a new password from a plaintext password. 
 function tep_encrypt_password($plain) {
 // remover la sal
$password = '';

for ($i=0; $i<10; $i++) {
  $password .= tep_rand();
}

$salt = substr(md5($password), 0, 2);

//$password = md5($salt . $plain) . ':' . $salt;

$password = md5($plain);

return $password;
 }

 

So, validation always comes to true because as a matter of fact in login.php we'll do the validation:

 

// Check if email exists
$check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_firstname = '" . tep_db_input($email_address) . "' and customers_password = '" . md5($password) . "'");

 

If you guys are going to use this multiple usernames and unique password login thing, check out the login.php query because I look for username in the customers_firstname field. You know, sometimes you have to give stuff a little tweak. : P

  • 3 years later...
Posted

I tried setting the password manually with this

 

update `customers` set customers_password = CONCAT(

md5(CONCAT(substr(md5('Bubba'), 0, 2), 'Bubba')),

':',

substr(md5('Bubba'), 0, 2)

)

WHERE customers_id=1

 

the sql worked, and this is the entry in the database

 

71399584f1bf28852c4b59aca22c2c21:

 

But I could not log in with the Bubba password

 

when I had the system set the password to Bubba

 

the database entry was this:

 

$P$DzLR7FM1xQZWuq1h1I3/v7jVOJNqiY0

 

What I am trying to do is to have two programs (separate auction and oscommerce store) use the same login info, by having the auction system add to the os commerce database at the same it gets a registration, or has a password change.

 

I am using v. 2.3.1

 

looking at the password function code it looks like the md5 was for an older version?

 

Any help appreciated

 

Am willing to pay an expert to help me with this conversion. I have this issue plus one with sorting.

 

Email [email protected] if you can help

 

Thanks

Mike

  • 11 months later...
Posted

Hi, as i noticed customers can create their account with any password characters they want.Does the encryption method of os commerce 2.3.x handles that good? Is the encryption of passwords utf-8 compatible?

 

I have some login issues logged in the action recorder.

Several foreign customers wasn't able to login,After reseting their password to 123456 they could log in.

 

I did some tests with Greek and Russian words for password with no problem,but i'm afraid that maybe a special char in some other alphabet is not stored good.Or users dont enter their full email address.

 

If encryption is not utf-8 compatible then maybe a validation should forbid users to enter non english charaters for their account password

 

Thank you

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...