Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Passwords
 
bigodines
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2008-01-05
Brazil
 

[edit]

There is a public release of this plugin available here:
http://www.bigodines.com/magento/SaltedPass.tar.gz

latest update: 12, Jan, 2008

[/edit]

Hello Dev Team,

I’ve been playing with Magento’s code for a couple days and realised that you are using md5() to protect users passwords. As we all know, md5() isn’t THAT safe anymore because we have gigantit rainbow tables wich can brake like 90% of passwords up to 10 chars. As this is an opensource project, I decided to give it a try and have something to show you instead of just asking for new features smile

That said, here’s a short description on what I did to increase security by using salted passwords.

I’ve extended Zend_Auth_Adapter_DbTable (the way it is its impossible to authenticate salted passwords) and then I’ve overridden the authenticate() method. Here’s the resulting class:

<?php 
/**
* Salted passwords for Magento using Zend_Auth_Adapter_DbTable
* @author Matheus Mendes aka bigodines
* @date Januray, 2008
*/
class Mage_Auth_Adapter_DbTable extends Zend_Auth_Adapter_DbTable {

    
public function __construct(Zend_Db_Adapter_Abstract $zendDb$tableName null$identityColumn null,
                                
$credentialColumn null$credentialTreatment null)
    
{
        parent
::__construct($zendDb$tableName$identityColumn$credentialColumn$credentialTreatment);
    
}
    
    
/**
     * This overrides authenticate() and assume the credentialTreatment is md5(?)
     * @return Zend_Auth_Result
     */
    
public function authenticate() {
        
        
// create result array
        
$authResult = array(
            
'code'     => Zend_Auth_Result::FAILURE,
            
'identity' => $this->_identity,
            
'messages' => array()
            );
        
        
// get username and salted passord for this user.    
        
$dbSelect $this->_zendDb->select();
        
$dbSelect->from($this->_tableName)
                    ->
where($this->_zendDb->quoteIdentifier($this->_identityColumn) . '= ?'$this->_identity);

        
// query for the identity
        
try {
            $resultIdentities 
$this->_zendDb->fetchRow($dbSelect->__toString());
        
catch (Exception $e{
            
/**
             * @see Zend_Auth_Adapter_Exception
             */
            
require_once 'Zend/Auth/Adapter/Exception.php';
            throw new 
Zend_Auth_Adapter_Exception('The supplied parameters to Zend_Auth_Adapter_DbTable failed to '
                                                
'produce a valid sql statement, please check table and column names '
                                                
'for validity.');
        
}
        
list( $hash$salt ) = explode(':',$resultIdentities['password']);

        
$inputPass md5($this->_credential $salt);

        
//echo "Credential: ". $this->_credential . '<br>';
        //echo "Hash: ". $hash . '<br>';
        //echo "Mine:" . $inputPass . '<br>';        
        
        
if ($inputPass == $hash// BINGO!
            
            
$this->_resultRow $resultIdentities;

            
$authResult['code'Zend_Auth_Result::SUCCESS;
            
$authResult['messages'][] 'Authentication successful.';
            return new 
Zend_Auth_Result($authResult['code']$authResult['identity']$authResult['messages']);
            
        
else // FAILED 
            
$authResult['code'Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID;
            
$authResult['messages'][] 'Supplied credential is invalid.';
            return new 
Zend_Auth_Result($authResult['code']$authResult['identity']$authResult['messages']);
        
}
        
    }        
}

?>

Now, to add the passwords into the database I changed the sql so the password field in admin_user can store bigger strings and then I’ve changed app/code/core/Mage/Admin/Model/Permissions/User.php (As this class is too big to paste, I’ve attached it here so you can download and analyze the changes. I can also create a diff/patch file if you want..)

Just make sure to add users before replacing the validation method otherwise you won’t be able to login anymore :D

As I’m running an empty install of Magento, I was unable to test if my script didn’t brake anything (It worked pretty well for me tough).

If you have comments/suggestions feel free to post it here or send me a PM.

Keep the good work :D

PS: I didn’t create any patch because I would love if someone could test and check if it works in more realistics environments (aka: a database with more than 2 users and roels rasberry) before taking this more seriously.

File Attachments
User.php  (File Size: 4KB - Downloads: 345)
 
Magento Community Magento Community
Magento Community
Magento Community
 
bigodines
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2008-01-05
Brazil
 

I’ve created a pack to make it easier for you to test the salted passwords.

Although it’s not meant to brake anything, I would recommend you to create a backup of your database before trying salted passwords.

Here is the README with instructions (excuse my english):

Salted Passwords in Magento
----------------------------

This is a hack. There are no guarantees that your system will remain working smoothly rasberry

Install
--------

1 - Make sure you change the size of your password field. You may run something like this in your MySQL:

ALTER TABLE `admin_user` CHANGE `password` `password` VARCHAR( 60 )

2 - Sign in in Magento admin (this is important because you’ll need to create a new user to start using salted passwords)

3 - Untar/Unzip this file in your root magento folder (all files will be placed under /community/ directory so u won’t loose anyting if it doesn’t work)

4 - Create a new magento user and give him administrator privileges (your current user won’t work anymore unless you change its password)

FAQ
----

Q - I cannot login anymore!
A - I TOLD YOU TO LOGIN BEFORE UNZIPPING, you cannot login because the current users don’t use salted passwords and the new authentication method does. Here’s a workaround for this problem:

- Go to your phpMyAdmin (or any other software you use to manage your MySQL database)
- Browse the admin_user table
- Change your user’s password to: 5cf88201ea7be9037b934ec850c01a89:pQEuqfwbpJ
- Your new password is “changeMe” (without quotes)
- Login and change your password to the old one.

Package is available here (tried to attach to the message but it didn’t work):
http://www.bigodines.com/magento/SaltedPass.tar.gz

 
Magento Community Magento Community
Magento Community
Magento Community
 
Mark_Kimsal
Sr. Member
 
Total Posts:  186
Joined:  2007-09-12
Michigan, USA
 

Instead of

#
        list( $hash$salt ) = explode(':',$resultIdentities['password']);

        
$inputPass md5($this->_credential $salt);

        
//echo "Credential: ". $this->_credential . '<br>';
        //echo "Hash: ". $hash . '<br>';
        //echo "Mine:" . $inputPass . '<br>';        
        
        
if ($inputPass == $hash// BINGO!
        
....

How about ...

#
        if ( strstr($resultIdentities['password']':') !== false{
               $inputPass 
md5($this->_credential $salt);
               list( 
$hash$salt ) = explode(':',$resultIdentities['password']);
        
else {
               $inputPass 
md5($this->_credential);
               
$hash $resultIdentities['password'];
        
}
        
if ($inputPass == $hash// BINGO!
        
....
 
Magento Community Magento Community
Magento Community
Magento Community
 
bigodines
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2008-01-05
Brazil
 

this will work.. but I think the correct way should be convert unsalted passwords adding the salt instead of authenticating both methods (to keep the database consistent)… I’m working on a second version that doesn’t brake the login for unsalted users.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigodines
Jr. Member
 
Avatar
Total Posts:  27
Joined:  2008-01-05
Brazil
 

Just released another version with the fix. Now the SaltedPass will automatically convert old passwords to salted ones.

download is available here: http://www.bigodines.com/magento/SaltedPass.tar.gz

thanks for your feedback smile

you will notice that some of the code may seem to be duplicated but I did that on purpose to make it easy to remove and make it a salted-only authentication mode for future versions…

 
Magento Community Magento Community
Magento Community
Magento Community
 
ngebala
Jr. Member
 
Total Posts:  3
Joined:  2012-10-10
 

thanks all, I found out just what I needed.
Obat Wasir dan Ambeien Manjur di Obatwasir.biz - Obat Wasir dan Ambeien Manjur di Obatwasir.biz - Tips diet sehat - artikel informasi

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top