Importing MD5+Salt Passwords to MD5.

Question

I'm moving my site from an oscommerce store to a commercial application.

The new application stores its passwords using straight MD5 encryption. Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.

Here is what someone posted on a forum:

The two characters added are for creating the hash in such way that
hash=md5(twocharactersPlainPassword)
ie: 2letters: 74
Plain Password: PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74

---

Here is the code how Oscommerce encrypts the password:

////
// This function makes a new password from a plaintext password. 
  function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

// This funstion validates a plain text password with an
// encrypted password
  function tep_validate_password($plain, $encrypted) {
    if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

---

Here is how my new cart encrypts the password:

if ($admin_password_encrypt == 1) {
    $password_match = md5($password);
} else {
    $password_match = $password;
}

---

Is there any possible way of importing customer passwords from my oscommerce cart to my new cart.

Answer 1

No. MD5 is a hash algorithm, which is a one-way function. You cannot reverse the hash on your oscommerce system to remove the salt and rehash. Sorry.

Answer 2

It appears that you have the source code for your new cart. Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.

The answer to your question is no, there is no way of converting the passwords.

Answer 3

If the passwords are encrypted with md5, you won't be able to decrypt them. Your best possibility can be to check in your login code whether the creation of an account/last password change occurred before a certain date. If so, use OSCommerce's password validation function, if not, use your own.

This way, for all new accounts the passwords will be encrypted with the new method, and for old accounts you'd continue to handle them as usual, so it'll be transparent to users.

Another, and possibly better option is that you continue to use the salting method of OsCommerce. It is more secure, and you'll also get to keep your existing passwords.

Answer 4

Do not save plain MD5 hashes in your database. Plain MD5 hashes can be reverse engineered quickly and easily using rainbow tables. However, here's how you solve your problem, no matter how you choose to store the passwords in the future:

1. Create a column in your new database that specifies the "version" of the password. This is used to determine if the password was generated by the old application or the new one.
2. Import the old users, setting the aforementioned flag to indicate the password is imported.
3. Create two methods for validating a password. One method uses the code from your old application, the other uses your new validation method.
4. When a user is logging in, check the aforementioned flag and use the appropriate validation method.

Anyways, I want to reiterate that plain MD5 hashes are easy to crack for most passwords (since people like short and easy to remember passwords.) Use a salt and/or a more complex algorithm. I'd recommend both, and use a salt that is longer than two characters and not limited to numbers. This will make the passwords really secure.

Answer 5

c39ca0694f50203a947d648ba14b2818

Answer 6

There is no method for automatic conversion between hash algorithms. Unfortunately you would likely be stuck picking from one of the following bad options:

1. Configure or program old cart to store hashes in new format as users login to old system.
2. Use a password cracker to recover some percentage of old system cart passwords.
3. Ask new vendor to support old format
4. Send notification to all users they will need to prepend the salt text to their passwords when using the new system or customize the system to prepend known salts for them.