Magento - Passwords - Suggestions and Feedback - eCommerce Software for Growth, Powered by Open Source

Skip to site navigation »
Skip to main content »
Skip to footer content »

Questions? Contact our sales team to a request a quote

Magento Forum

Passwords

bigodines Total Posts: 27 Joined: 2008-01-05 Brazil Ignore user	[edit] There is a public release of this plugin available here: http://www.bigodines.com/magento/SaltedPass.tar.gz latest update: 12, Jan, 2008 [/edit] Hello Dev Team, I’ve been playing with Magento’s code for a couple days and realised that you are using md5() to protect users passwords. As we all know, md5() isn’t THAT safe anymore because we have gigantit rainbow tables wich can brake like 90% of passwords up to 10 chars. As this is an opensource project, I decided to give it a try and have something to show you instead of just asking for new features That said, here’s a short description on what I did to increase security by using salted passwords. I’ve extended Zend_Auth_Adapter_DbTable (the way it is its impossible to authenticate salted passwords) and then I’ve overridden the authenticate() method. Here’s the resulting class: <?php /** * Salted passwords for Magento using Zend_Auth_Adapter_DbTable * @author Matheus Mendes aka bigodines * @date Januray, 2008 / class Mage_Auth_Adapter_DbTable extends Zend_Auth_Adapter_DbTable { public function __construct(Zend_Db_Adapter_Abstract $zendDb, $tableName = null, $identityColumn = null, $credentialColumn = null, $credentialTreatment = null) { parent::__construct($zendDb, $tableName, $identityColumn, $credentialColumn, $credentialTreatment); } /* * This overrides authenticate() and assume the credentialTreatment is md5(?) * @return Zend_Auth_Result / public function authenticate() { // create result array $authResult = array( 'code' => Zend_Auth_Result::FAILURE, 'identity' => $this->_identity, 'messages' => array() ); // get username and salted passord for this user. $dbSelect = $this->_zendDb->select(); $dbSelect->from($this->_tableName) ->where($this->_zendDb->quoteIdentifier($this->_identityColumn) . '= ?', $this->_identity); // query for the identity try { $resultIdentities = $this->_zendDb->fetchRow($dbSelect->__toString()); } catch (Exception $e) { /* * @see Zend_Auth_Adapter_Exception / require_once 'Zend/Auth/Adapter/Exception.php'; throw new Zend_Auth_Adapter_Exception('The supplied parameters to Zend_Auth_Adapter_DbTable failed to ' . 'produce a valid sql statement, please check table and column names ' . 'for validity.'); } list( $hash, $salt ) = explode(':',$resultIdentities['password']); $inputPass = md5($this->_credential . $salt); //echo "Credential: ". $this->_credential . '<br>'; //echo "Hash: ". $hash . '<br>'; //echo "Mine:" . $inputPass . '<br>'; if ($inputPass == $hash) { // BINGO! $this->_resultRow = $resultIdentities; $authResult['code'] = Zend_Auth_Result::SUCCESS; $authResult['messages'][] = 'Authentication successful.'; return new Zend_Auth_Result($authResult['code'], $authResult['identity'], $authResult['messages']); } else { // FAILED $authResult['code'] = Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID; $authResult['messages'][] = 'Supplied credential is invalid.'; return new Zend_Auth_Result($authResult['code'], $authResult['identity'], $authResult['messages']); } } } ?> Now, to add the passwords into the database I changed the sql so the password field in admin_user can store bigger strings and then I’ve changed app/code/core/Mage/Admin/Model/Permissions/User.php (As this class is too big to paste, I’ve attached it here so you can download and analyze the changes. I can also create a diff/patch file if you want..) Just make sure to add users before replacing the validation method otherwise you won’t be able to login anymore :D As I’m running an empty install of Magento, I was unable to test if my script didn’t brake anything (It worked pretty well for me tough). If you have comments/suggestions feel free to post it here or send me a PM. Keep the good work :D PS: I didn’t create any patch because I would love if someone could test and check if it works in more realistics environments (aka: a database with more than 2 users and roels ) before taking this more seriously. File Attachments User.php (File Size: 4KB - Downloads: 61) Signature Matheus Mendes* Meu blog in portuguese My blog in “english”
	Posted: January 9 2008 \| top

bigodines Total Posts: 27 Joined: 2008-01-05 Brazil Ignore user	I’ve created a pack to make it easier for you to test the salted passwords. Although it’s not meant to brake anything, I would recommend you to create a backup of your database before trying salted passwords. Here is the README with instructions (excuse my english): Salted Passwords in Magento ---------------------------- This is a hack. There are no guarantees that your system will remain working smoothly Install -------- 1 - Make sure you change the size of your password field. You may run something like this in your MySQL: ALTER TABLE `admin_user` CHANGE `password` `password` VARCHAR( 60 ) 2 - Sign in in Magento admin (this is important because you’ll need to create a new user to start using salted passwords) 3 - Untar/Unzip this file in your root magento folder (all files will be placed under /community/ directory so u won’t loose anyting if it doesn’t work) 4 - Create a new magento user and give him administrator privileges (your current user won’t work anymore unless you change its password) FAQ ---- Q - I cannot login anymore! A - I TOLD YOU TO LOGIN BEFORE UNZIPPING, you cannot login because the current users don’t use salted passwords and the new authentication method does. Here’s a workaround for this problem: - Go to your phpMyAdmin (or any other software you use to manage your MySQL database) - Browse the admin_user table - Change your user’s password to: 5cf88201ea7be9037b934ec850c01a89:pQEuqfwbpJ - Your new password is “changeMe” (without quotes) - Login and change your password to the old one. Package is available here (tried to attach to the message but it didn’t work): http://www.bigodines.com/magento/SaltedPass.tar.gz Signature Matheus Mendes Meu blog in portuguese My blog in “english”
	Posted: January 11 2008 \| top \| # 1

Mark_Kimsal Total Posts: 186 Joined: 2007-09-12 Michigan, USA Ignore user	Instead of `# list( $hash, $salt ) = explode(':',$resultIdentities['password']); $inputPass = md5($this->_credential . $salt); //echo "Credential: ". $this->_credential . '<br>'; //echo "Hash: ". $hash . '<br>'; //echo "Mine:" . $inputPass . '<br>'; if ($inputPass == $hash) { // BINGO! ....` How about ... # if ( strstr($resultIdentities['password'], ':') !== false) { $inputPass = md5($this->_credential . $salt); list( $hash, $salt ) = explode(':',$resultIdentities['password']); } else { $inputPass = md5($this->_credential); $hash = $resultIdentities['password']; } if ($inputPass == $hash) { // BINGO! .... Signature There’s info on lots of custom modules in my Magento Group http://www.magentocommerce.com/group/view/174 Need Upgrade help from 0.6, 0.7, and 0.8 available? P.M. me for details on CMS integration.
	Posted: January 11 2008 \| top \| # 2

bigodines Total Posts: 27 Joined: 2008-01-05 Brazil Ignore user	this will work.. but I think the correct way should be convert unsalted passwords adding the salt instead of authenticating both methods (to keep the database consistent)… I’m working on a second version that doesn’t brake the login for unsalted users. Signature Matheus Mendes Meu blog in portuguese My blog in “english”
	Posted: January 12 2008 \| top \| # 3

bigodines Total Posts: 27 Joined: 2008-01-05 Brazil Ignore user	Just released another version with the fix. Now the SaltedPass will automatically convert old passwords to salted ones. download is available here: http://www.bigodines.com/magento/SaltedPass.tar.gz thanks for your feedback you will notice that some of the code may seem to be duplicated but I did that on purpose to make it easy to remove and make it a salted-only authentication mode for future versions… Signature Matheus Mendes Meu blog in portuguese My blog in “english”
	Posted: January 12 2008 \| top \| # 4

Magento Community

Magento Community

Back to top

International address format

Catalog - Product Information - General - Visibility Bug

© Copyright 2008 Varien. Magento, eCommerce software, is a trademark of Irubin Consulting Inc. DBA Varien
Privacy Policy|Terms of Service Magento Community Count
60360 users|832 users currently online|119523 forum posts