Guest Posted August 31, 2006 Posted August 31, 2006 i see in the password_funcs.php file that OSC ads 2 random characters and then md5s the password. Can anyone tell me what the security benefit of this added step is? I am importing an old database, and tempted to simply check for either the new md5 method offered by OSC or my old plain md5'd passwords. Or is there a quick way to apply this new random encoding to 900 usernames in a MySQL database?
Guest Posted August 31, 2006 Posted August 31, 2006 i see in the password_funcs.php file that OSC ads 2 random characters and then md5s the password. Can anyone tell me what the security benefit of this added step is? I am importing an old database, and tempted to simply check for either the new md5 method offered by OSC or my old plain md5'd passwords. Or is there a quick way to apply this new random encoding to 900 usernames in a MySQL database? Remove the extra chars from password_funcs.php then. I don't know how they manage to check passwords when they add random characters before encoding.. that really seems bizarre! it (the login script, whatever) would have to know what the extra characters were in order to encode the password typed by the user to compare against the md5 hash. So, look for where it figures that part out and you may be able to migrate. Hope that helps.
Guest Posted July 2, 2007 Posted July 2, 2007 here is some SQL to convert a plain text password to an osc password: CONCAT( md5(CONCAT(substr(md5(txtPass), 0, 2), txtPass)), ':', substr(md5(txtPass), 0, 2) ) it is based upon this function from the password_funcs.php: // This function makes a new password from a plaintext password. function tep_encrypt_password($plain) { $password = ''; for ($i=0; $i<10; $i++) { $password .= tep_rand(); } $salt = substr(md5($password), 0, 2); $password = md5($salt . $plain) . ':' . $salt; return $password; }
Guest Posted September 25, 2007 Posted September 25, 2007 The two characters added are for creating the hash in such way that hash=md5(twocharactersPlainPassword) ie: 2letters: 74 Plain Password: PaSs hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74 I don't see this "salt" added as a security improvement since md5 is already cracked and the salt is stored in the database son it's not part of a shared secret.
lzrczrs Posted June 25, 2009 Posted June 25, 2009 I have this project where usernames must be NOT unique, so in the first query in login.php I had to select *one* row from customers where _username and _password match. To do this, I had to modify tep_encrypt_password() and tep_validate_password() in includes/classes/functions/passwd_functions.php so they had no salt on the hash. function tep_validate_password($plain) { return true; } //// // This function makes a new password from a plaintext password. function tep_encrypt_password($plain) { // remover la sal $password = ''; for ($i=0; $i<10; $i++) { $password .= tep_rand(); } $salt = substr(md5($password), 0, 2); //$password = md5($salt . $plain) . ':' . $salt; $password = md5($plain); return $password; } So, validation always comes to true because as a matter of fact in login.php we'll do the validation: // Check if email exists $check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_firstname = '" . tep_db_input($email_address) . "' and customers_password = '" . md5($password) . "'"); If you guys are going to use this multiple usernames and unique password login thing, check out the login.php query because I look for username in the customers_firstname field. You know, sometimes you have to give stuff a little tweak. : P
gletech Posted September 12, 2012 Posted September 12, 2012 I tried setting the password manually with this update `customers` set customers_password = CONCAT( md5(CONCAT(substr(md5('Bubba'), 0, 2), 'Bubba')), ':', substr(md5('Bubba'), 0, 2) ) WHERE customers_id=1 the sql worked, and this is the entry in the database 71399584f1bf28852c4b59aca22c2c21: But I could not log in with the Bubba password when I had the system set the password to Bubba the database entry was this: $P$DzLR7FM1xQZWuq1h1I3/v7jVOJNqiY0 What I am trying to do is to have two programs (separate auction and oscommerce store) use the same login info, by having the auction system add to the os commerce database at the same it gets a registration, or has a password change. I am using v. 2.3.1 looking at the password function code it looks like the md5 was for an older version? Any help appreciated Am willing to pay an expert to help me with this conversion. I have this issue plus one with sorting. Email [email protected] if you can help Thanks Mike
Prototype-23 Posted August 13, 2013 Posted August 13, 2013 Hi, as i noticed customers can create their account with any password characters they want.Does the encryption method of os commerce 2.3.x handles that good? Is the encryption of passwords utf-8 compatible? I have some login issues logged in the action recorder. Several foreign customers wasn't able to login,After reseting their password to 123456 they could log in. I did some tests with Greek and Russian words for password with no problem,but i'm afraid that maybe a special char in some other alphabet is not stored good.Or users dont enter their full email address. If encryption is not utf-8 compatible then maybe a validation should forbid users to enter non english charaters for their account password Thank you
Recommended Posts
Archived
This topic is now archived and is closed to further replies.