I'm moving my site from an oscommerce store to a commercial application. The new application stores its passwords using straight MD5 encryption. oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash. Is there any possible way of me importing customers or am I stuck trying to convince the developers to support the oscommerce password method? oscommerce stores passwords using this function 31 //// 32 // This function makes a new password from a plaintext password. 33 function tep_encrypt_password($plain) { 34 $password = ''; 35 36 for ($i=0; $i<10; $i++) { 37 $password .= tep_rand(); 38 } 39 40 $salt = substr(md5($password), 0, 2); 41 42 $password = md5($salt . $plain) . ':' . $salt; 43 44 return $password; 45 } PHP:
You'll have to support the MD5 + hash method in order to allow your customers to login with their current PW. I would create a script to strip the hash and store them separate. Bobby
MD5 has been broken. This break is not just academic, but practicable. It was introduced in 2004 [1], refined in 2005 [2], and refined again in 2006 [3]. The current claim is that a collision can be found within one minute on a standard notebook PC. The bottom line is that neither application should be using MD5. That they do is a strong sign that both programs have neglected important security issues.
FeelLikeANut, Can you point me towards a solution that will convert my password database to plain text? Thanks.
The vulnerabilities found in MD5 was collision vulnerabilities. This doesn't mean that you can get the plaintext back from the hashes. This only means that they were able to find strings that gave the same MD5 hash. Read this Q&A here: http://www.cryptography.com/cnews/hash.html It will clarify this better. Thomas