How magento store password and validate password – Magento

Magento uses MD5 and salt algorithems to store password for customer as well admin user.

How magento create encrypted password

Magento create encrypted password with,

Mage::getModel('core/encryption')->decrypt($password);

Here is the logic of decrypt($password) function,

 $password = "12345678";
 $salt = "at";
 $encyPasswod = md5($salt.$pass).":".$salt;

In above function, $salt is randomly generated string of two alphanumeric character.

How magento validate password

Bellow functiona will validate the user password,

Mage::getModel('customer/customer')->authenticate($email, $password);

Logic behind above function is,

 $email = "techbandhus@gmail.com";
 $password = "123456";

 //Load a customer by email address
 $customer = Mage::getModel('customer/customer')
 ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
 ->loadByEmail($email);

 // if loaded! get stored password from database
 $hash = $customer->getData("password_hash");

 // Get last two digits separate by :";
 $hashArr = explode(':', $hash);

 public function validateHash($password, $hash)
 {
     $hashArr = explode(':', $hash);
     switch (count($hashArr)) {
         case 1:
             return $this->hash($password) === $hash;
         case 2:
             return $this->hash($hashArr[1] . $password) === $hashArr[0];
     }
     Mage::throwException('Invalid hash.');
  }

So, it simply means that even if you have not added salt key and only MD5 text as password, login will work.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s