Magento CE uses MD5 encryption.. How hard to upgrade to better encryption method?

Question

Quick buffer, I know very little about encryption methods and how they are implemented, I just know a little on the quality and importance of a good versus bad encryption method. My understanding is that Magento CE uses the very weak MD5 encryption method, which is widely known for being lackluster and should cease even being used. Magento EE however uses SHA-256 which is know as a much stronger alternative.

As a two pronged question, is Magentos' thoughts on keeping CE using MD5 strictly a business decision to push vendors to EE for a stronger method?

And how hard would it be to upgrade the current method of CE from MD5 to say SHA-256 ourselves without Magento needing to implement the change for us?

Thanks!

Answer 1

Magento use the getHash() Method in the Core Helper:
app/code/core/Mage/Core/Helper/Data.php

public function getHash($password, $salt = false)
{
    return $this->getEncryptor()->getHash($password, $salt);
}

If you take a look in the getEncryptor() Method, you will see that you can define your own Encryptor Model:

public function getEncryptor()
{
    if ($this->_encryptor === null) {
        $encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
        if ($encryptionModel) {
            $this->_encryptor = new $encryptionModel;
        } else {
            $this->_encryptor = Mage::getModel('core/encryption');
        }

        $this->_encryptor->setHelper($this);
    }
    return $this->_encryptor;
}

You have to create a new xml knot global/helpers/core/encryption_model where you can define your own Model. And if you extend your new Encryptor Model from Mage_Core_Model_Encryption, you can use all Core features and just overwrite the specific Method:

public function hash($data)
{
    return md5($data);
}

I don't recommend you to change the hash Method in a Production System, because if you change the hashing Method, your existing customer can't login anymore.