Due to LinkedIn's privacy issues, Several posts opened on Quora and StackOverflow to question the way Magento saves passwords.

As Mashable reports, a Russian hacker claims he successfully stole data from LinkedIn, and has uploaded 6.5 million passwords from the site as proof. Mashable says that although the passwords are encrypted with the SHA-1 hash function, they aren't salted. That means that it's easier for an enterprising hacker to figure out what passwords the encrypted hashes represent through trial and error.

As the quote above, we have two keywords for encryption issues: hash function and salt. Thus in this article, we are going to figure out these two issues for Magento with proof.

First, we glance at the database data to get an intuitive view of the customers' "passwords": 66982d945e975796f1de141eb5848fde:3t(We use admin password in "admin_user" table as example). It looks like an MD5 hash, and it really an MD5 hash exactly, but with salt. And it's easy to guess the phrase after colon is the salt. So what dose Magento do when it receives customers' inputs?

Login form is posted to the customer controller, which locates at

MAGENTO_ROOT/app/code/core/Mage/Customer/controllers/AccountController.php

And you can find the snippet as following:

public function loginPostAction() {
    ....
    $session->login($login['username'], $login['password']);
    ....
}

The variable $session is an instance of the Session class for Customer Module. And within the login function, the authenticate function will be called. Finally, the answer to the problem can be found at Mage_Core_Model_Encryption class.

public function hash($data) {
    return md5($data);
}

public function validateHash($password, $hash) {
    $hashArr = explode(':', $hash);
    ....
    return $this->hash($hashArr[1] . $password) === $hashArr[0];
    ....
}

We can reach several interesting conclusions here:

  • It is MD5 hash function that uses as hash function when encrypting password;
  • The COLON in the database is exactly the separator for hashed password and salt;
  • Replacing the hash function is a simple and effective way to make your security system different from others';
  • Compared with LinkedIn, Magento's password system is stronger.

Thus, before great steps in cryptography, don't worry about Magento's password system. And later, we would give out another post to guide you How to improve Magento's security.