password encrytion from admin dashboard ?

  • How are the passwords encrypted from backend ?
    What key is used to encrypt them.

    when i go to customer ->edit -> change pasword -> save

  • Hi,

    Good nice question !
    Except that password are not encrypted, but hashed 😉 Cause you can’t reverse the process.

    The hash password is made with Tools::hash();

         * Hash password with native `password_hash`
         * @param string $password
         * @return bool|string
         * @since   1.0.0
         * @version 1.0.0 Initial version
        public static function hash($password)
            return password_hash($password, PASSWORD_BCRYPT);

    The hash() methode use the native function in the PHP API, password_hash() .

    To compare password, TB (and probably PS) use

    password_verify($plainTextPassword, $result['passwd'])

    So, no key needed for hash them, as mention here, it’s easier and safer.


  • @lathaneo
    Thanks for the reply.
    How do I unhash so I can compare the password and allow customer to login.

  • You need to compare hashed password together and not the other way around.
    So you will need to hash the user entered password and compare.

  • @Saha is this a site thats been migrated? Or data from your old site imported into a new install?

  • @slick_303
    it’s a migrated site.

  • @yaniv14
    same password hashed at different time gives me different results
    first line Tools::hash(123456) outputs : $2y$10$vf9b9Y92f7ELhhOTcI2GfOzrK1SfAIylPU8ySGy5F41JxREkoCj3G
    second line Tools::hash(123456); outputs:

  • @Saha and did you take the define(‘RIJNDAEL_KEY’, and define(‘RIJNDAEL_IV’, and define(‘COOKIE_KEY’, and define(‘COOKIE_IV’, settings from your old /config/ to your new one?

    edit: are you having issues with people not being able to login to the FO, is that why you are asking this?

  • @slick_303
    Yes I guess .

  • backup your /config/ file, then change the values of the above 4 keys in it to match your old sites keys
    I’m assuming you migrated from PrestaShop…

  • @mdekker
    So how to approach .
    How to authenticate a user ?

  • the result of password_hash actually contains two parts - hash and salt. Salt is randomly generated each time you call this function, that’s the reason why the result is different each time. In order to verify password, simply call function password_verify, with plain text password and a result of pasword_hash function:

    password_verify($plaintextPassword, $hashWithSalt)

    in other words, following expression will always return true:

    password_verify($plaintextPassword, password_hash($plaintextPassword, PASSWORD_BCRYPT))

  • @datakick
    Thanks it works


Looks like your connection to thirty bees forum was lost, please wait while we try to reconnect.