Existing Customer Import including MD5 hashed password
https://magento.stackexchange.com//questions/35608
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have existing customer data, which includes email addresses and passwords (already MD5 hashed.)
Can I import this data into Magento, whilst keeping the customers' existing passwords?
Will an override of Magento's customer authentication class be required?
Solution
You do not need to modify Magento's authentication classes. You can import passwords already MD5 encrypted. I have tested this.
First, a look at how Magento CE stores passwords
salt = gg6s1b3f9s4dd (randomly generated every time a password is changed)
password = mypassword2015 (chosen by customer)
Encrypted Password = md5(salt.password).":".salt
Explained as .....
Step 1: md5(gg6s1b3f9s4ddmypassword2015).":".salt
Step 2: 7df0a5d9d07a06db6c7022d1e6ea2a57.":".salt
Final Result: 7df0a5d9d07a06db6c7022d1e6ea2a57:gg6s1b3f9s4dd
Where the first string is the MD5 password with the salt,
and after the : is the salt that was used.
Therefore to import an already encrypted MD5 password
MD5_Password: a230b06a0387f5c697f08d83517cbb5d
Step 1: MD5_Password.":"
Final Result: a230b06a0387f5c697f08d83517cbb5d:
We can see that Magento looks for a ":" (colon) in the string, and assumes what comes after it is the Salt. If you place a ":" (colon) at the end of your already encrypted password and then nothing further, Magento will realise that there IS no salt for that password.
TL;DR Just add a ":" (colon) to the end of your already MD5 encrypted password.
Getting the password into Magento
Alright, so now we know what we need to do to our passwords, how do we get them into Magento? Normally Magento will automatically encrypt a password you give it, but in our case we DON'T want it to because it's already done.
Turns out, this is simple too! When creating, or updating an existing customer by code you normally use this to set their password:
$customer->setPassword("Plain Text Password");
Just replace that with
$customer->setPasswordHash("Already Encrypted Password");
OTHER TIPS
Magento CE uses a salted MD5 hash.
You would need to over-ride Mage_Customer_Model_Session::login() or Mage_Customer_Model_Customer::validatePassword to adapt for the different passwords.
That said, changing password authentication methods is a bad idea. Consider just having your customers reset their passwords instead.
Also, the fact that Magento uses MD5 in CE and SHA2 in EE is a joke. MD5 is bad and insecure. I guess only EE customers at $15K+ per license get proper security.
Magento is way out of line here.
