password encrytion from admin dashboard ?

[Saha]

How are the passwords encrypted from backend ? What key is used to encrypt them.

when i go to customer ->edit -> change pasword -> save

[Lathaneo]

Hi,

Good nice question ! Except that password are not encrypted, but hashed ;) Cause you can't reverse the process.

The hash password is made with Tools::hash(); /** * Hash password with native `password_hash` * * @param string $password * * @return bool|string * * @since 1.0.0 * @version 1.0.0 Initial version */ public static function hash($password) { return password_hash($password, PASSWORD_BCRYPT); }

The hash() methode use the native function in the PHP API, password_hash() .

To compare password, TB (and probably PS) use password_verify($plainTextPassword, $result['passwd'])

So, no key needed for hash them, as mention here, it's easier and safer.

Regards.

[Saha]

@lathaneo Thanks for the reply. How do I unhash so I can compare the password and allow customer to login.

[yaniv14]

You need to compare hashed password together and not the other way around. So you will need to hash the user entered password and compare.

[SLiCK_303]

@Saha is this a site thats been migrated? Or data from your old site imported into a new install?

[Saha]

@slick_303 it's a migrated site.

[Saha]

@yaniv14 same password hashed at different time gives me different results first line Tools::hash(123456) outputs : $2y$10$vf9b9Y92f7ELhhOTcI2GfOzrK1SfAIylPU8ySGy5F41JxREkoCj3G second line Tools::hash(123456); outputs: $2y$10$P3kdjPytuLHPZ3iEmjBxoezfOckOnIFB8cPj7ghUaltl7/bqUwrWO

[SLiCK_303]

@Saha and did you take the define('RIJNDAELKEY', and define('RIJNDAELIV', and define('COOKIEKEY', and define('COOKIEIV', settings from your old /config/settings.inc.php to your new one?

edit: are you having issues with people not being able to login to the FO, is that why you are asking this?

[Saha]

@slick_303 Yes I guess . Yes

[SLiCK_303]

backup your /config/setting.inc.php file, then change the values of the above 4 keys in it to match your old sites keys I'm assuming you migrated from PrestaShop....

[Saha]

@mdekker So how to approach . How to authenticate a user ?

[datakick]

the result of password_hash actually contains two parts - hash and salt. Salt is randomly generated each time you call this function, that's the reason why the result is different each time. In order to verify password, simply call function password_verify, with plain text password and a result of pasword_hash function:

password_verify($plaintextPassword, $hashWithSalt)

in other words, following expression will always return true:

password_verify($plaintextPassword, password_hash($plaintextPassword, PASSWORD_BCRYPT))

[Saha]

@datakick Thanks it works