Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

need a way to make the users passwords plaintext


Justs

Recommended Posts

The passwords are "hashed" not "encrypted" so there is (for all pracitcal purposes) no way to retrieve existing passwords.

 

On a new shop you could theoretically remove the hash process.

 

On an exisitng install everyone would lose their password if you were to implement plain text passwords.

 

But the whole idea (plain text paswords) just isn't a very good one at all.

 

They're made the way they are to be "secure".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

If you need the password to simply access your customers account, for example to sign on as that customer using their email, you can do that with the following contributions. They create a single master password that works for all customers.

 

http://addons.oscommerce.com/info/2180

 

http://addons.oscommerce.com/info/8023

Oscommerce site:

 

 

OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120

Link to comment
Share on other sites

The passwords are "hashed" not "encrypted" so there is (for all pracitcal purposes) no way to retrieve existing passwords.

 

On a new shop you could theoretically remove the hash process.

 

On an exisitng install everyone would lose their password if you were to implement plain text passwords.

 

But the whole idea (plain text paswords) just isn't a very good one at all.

 

They're made the way they are to be "secure".

what about a way to change the user password if he login or registry ?

Link to comment
Share on other sites

i know for sure there's a way, because one of php programmer said he wil do it for $$ , and i don't like to pay for free staff this is already free project and open-source, and i aware of the risk

Link to comment
Share on other sites

Don't get "free" and "open source" mixed up. they have nothing to do with each other.

 

If you found a programmer who can change the hashed passwords to their plain equivalent, he is worth a -lot- of cash.

I say changing the decrypting the hashed passwords is not possible unless you are the NSA.

 

Easy solution;

 

1. strip out the hashing input on account creation

2. strip out the hashing checks on login

3. strip out the hashing input on change of password

 

that's it.

 

All new customers passwords will go in as plaintext.

 

All existing customers (prior to the change) will be required to use "password forgotten" when they next try to login as their hashed password will not match the login check input

 

That's the extent of my input into this conversation, as making passwords plain text is asking for trouble (in my opinion).

Link to comment
Share on other sites

Ben,

 

As Jim originally posted, passwords are hashed to protect your customers accounts. Removing the hashing would jeopardize the customers personal information. I personally would NEVER create an account on a website that stated passwords are plain text and viewable to the store owner. IF you did remove the hashing you would be obligated to post that in your privacy policy, which would make your website unappealing to MANY potential customers.

 

 

 

Chris

Link to comment
Share on other sites

Don't get "free" and "open source" mixed up. they have nothing to do with each other.

 

If you found a programmer who can change the hashed passwords to their plain equivalent, he is worth a -lot- of cash.

I say changing the decrypting the hashed passwords is not possible unless you are the NSA.

 

Easy solution;

 

1. strip out the hashing input on account creation

2. strip out the hashing checks on login

3. strip out the hashing input on change of password

 

that's it.

 

All new customers passwords will go in as plaintext.

 

All existing customers (prior to the change) will be required to use "password forgotten" when they next try to login as their hashed password will not match the login check input

 

That's the extent of my input into this conversation, as making passwords plain text is asking for trouble (in my opinion).

im not looking to crack there password , im just looking for a way to make password_funcs.php off, not encrypting password.

 

and i am aware of the risk and what im doing

Link to comment
Share on other sites

im not looking to crack there password , im just looking for a way to make password_funcs.php off, not encrypting password.

 

and i am aware of the risk and what im doing

Did you ever get the feeling you're not going to get a lot of help in accomplishing what you want? At least not publicly anyway.

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Ho hum, I said I wouldn't post anymore on this thread, but here I am :(

 

What part of this:

 

 

1. strip out the hashing input on account creation

2. strip out the hashing checks on login

3. strip out the hashing input on change of password

 

 

is difficult? You need to find that stuff and strip it out, which means making an effort to find it and knowing a tiny bit of PHP to make it happen. Or did you want someone to do that for you? If so, someone might. They might also do your washing up.

Link to comment
Share on other sites

Usually if you ask for ways to circumvent security you are throwing up a red flag to me. While that may not be your intention, without stating exactly what your purpose of the request is there is little desire to help you.

 

Now if you have a legitimate reason for having your passwords as plain text, like lets say you want to be able to tell a users what their password is, then there are suggestions we can make to accomplish the same thing without compromising your websites security and IN MY OPINION integrity.

 

That example however, is already answered above with using master password. This would allow you to login to the customers account change their password and tell them what you changed it to.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...