views:

1164

answers:

6

I'm moving my site from an oscommerce store to a commercial application.

The new application stores its passwords using straight MD5 encryption. Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.

Here is what someone posted on a forum:

The two characters added are for creating the hash in such way that
hash=md5(twocharactersPlainPassword)
ie: 2letters: 74
Plain Password: PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74


Here is the code how Oscommerce encrypts the password:

////
// This function makes a new password from a plaintext password. 
  function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

// This funstion validates a plain text password with an
// encrypted password
  function tep_validate_password($plain, $encrypted) {
    if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

Here is how my new cart encrypts the password:

if ($admin_password_encrypt == 1) {
    $password_match = md5($password);
} else {
    $password_match = $password;
}

Is there any possible way of importing customer passwords from my oscommerce cart to my new cart.

+1  A: 

No. MD5 is a hash algorithm, which is a one-way function. You cannot reverse the hash on your oscommerce system to remove the salt and rehash. Sorry.

David M
so theres no way to import my passwords ?
Ibn Saeed
Only if you have exactly the same salting and hashing implemented in your system.
David M
+6  A: 

It appears that you have the source code for your new cart. Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.

The answer to your question is no, there is no way of converting the passwords.

Greg Hewgill
Is there a better way of storing passwords ? I would like to forward your suggestion to the development team of my new cart
Ibn Saeed
An excellent article on the topic is Jeff's "You're Probably Storing Passwords Incorrectly": http://www.codinghorror.com/blog/archives/000953.html
Greg Hewgill
@Gred, thanks for the link.
Ibn Saeed
+1  A: 

If the passwords are encrypted with md5, you won't be able to decrypt them. Your best possibility can be to check in your login code whether the creation of an account/last password change occurred before a certain date. If so, use OSCommerce's password validation function, if not, use your own.

This way, for all new accounts the passwords will be encrypted with the new method, and for old accounts you'd continue to handle them as usual, so it'll be transparent to users.

Another, and possibly better option is that you continue to use the salting method of OsCommerce. It is more secure, and you'll also get to keep your existing passwords.

Click Upvote
+5  A: 

Do not save plain MD5 hashes in your database. Plain MD5 hashes can be reverse engineered quickly and easily using rainbow tables. However, here's how you solve your problem, no matter how you choose to store the passwords in the future:

  1. Create a column in your new database that specifies the "version" of the password. This is used to determine if the password was generated by the old application or the new one.
  2. Import the old users, setting the aforementioned flag to indicate the password is imported.
  3. Create two methods for validating a password. One method uses the code from your old application, the other uses your new validation method.
  4. When a user is logging in, check the aforementioned flag and use the appropriate validation method.

Anyways, I want to reiterate that plain MD5 hashes are easy to crack for most passwords (since people like short and easy to remember passwords.) Use a salt and/or a more complex algorithm. I'd recommend both, and use a salt that is longer than two characters and not limited to numbers. This will make the passwords really secure.

Blixt
Maybe generating different salt is even better, let's say you generate salt from users ID, a constant in code and his date of registration. All those parameters won't change and are different for every user.
usoban
That is one way. But I'd say it's more portable to just include the salt in the same column as the password, separated by some character. This isn't really a security issue, since to find the password, one would still have to generate the hash for every possible `string + salt` until the same hash is found. For every single row. No hacker in their right mind would attempt this, unless they have a quantum computer handy. =)
Blixt
Clever solution!
T Pops
@Blixt, I would try to implement your solution. Can you give a more detailed explanation.
Ibn Saeed
Using an entire salt shaker and the worlds best hash algorithm does not really buy you anything. It does not effectivly solve the weak password (offline dictionary attack) problem. It can force an attacker to devote more resources to the problem but nothing that anyone should expect would prevent a successful attack.
Einstein
I don't see what you're trying to say with your comment... that security is pointless because it won't be 100% effective? Just as security evolves, so does hacking. You will never reach a point where something is 100% secure. But by shifting the effort/reward ratio towards effort, you make hackers less likely to choose you as a target. That's why you should always strive to make your security solution as efficient as possible.
Blixt
I would say just replace the "new" (straight MD5) function entirely with the function from OSCommerce.
Dustin Fineout
+1  A: 

c39ca0694f50203a947d648ba14b2818

kingstone king
It's the kind of answer I'd have posted, if you didn't get to it first.
Broam
A: 

There is no method for automatic conversion between hash algorithms. Unfortunately you would likely be stuck picking from one of the following bad options:

  1. Configure or program old cart to store hashes in new format as users login to old system.
  2. Use a password cracker to recover some percentage of old system cart passwords.
  3. Ask new vendor to support old format
  4. Send notification to all users they will need to prepend the salt text to their passwords when using the new system or customize the system to prepend known salts for them.
Einstein