Where and how are passwords stored in Magento?

Asked 6/10, 2012 at 7:58 Answered 7/10, 2012 at 0:16

It would be a tremendous user experience bless to have a universal login across various apps of my website. For now, I have a storefront of Magento and a community of IPS board. And I'm trying to integrate them into one universal login for my users.

IPS board offers a variety of login methods and one of them is External Database that enables me to integrate it with an external database for user details.

Fantastic! So I can link IPS with Magento's database for unified user credentials.

However, thus far I can only find the email field that is customer_entity.email.

My questions are:

What is the password hash field (table.field) in Magento?
How does Magento generate password hash? MD5? SHA1? What is the salt (I guess it's different by installation but where can I find it)?

As you can see from the attached images, I need the details of where and how Magento stores password to enable IPS to use Magento's database as external database for user login details.

Attached:

Any idea or suggestion on how to get this done would be greatly appreciated!

Whitted answered 6/10, 2012 at 7:58 Comment(3)

Nice explanation is in magentogarden.com/blog/… – Cabasset 17/12, 2014 at 22:25

@Cabasset link is down unfortunately :( – Bilateral 13/12, 2018 at 14:21

@Bilateral and no achive, sorry :(. I should have copy paste some info. – Cabasset 13/12, 2018 at 16:33

Customer's password is stored in customer_entity_varchar, it is an eav attribute. You can't use IPB external database functionality. You should use Mage::getModel('customer/customer')->authenticate($logi, $password); to authenticate customers in your code.

Beau answered 7/10, 2012 at 0:16 Comment(1)

the easiest way is to use magento events customer_customer_authenticated and customer_register_success to hook login / register actions and add custom queries from IPB. You can use autoload for using IPB's API or just create custom model and transfer data to the bosrd's database. Another way is to make complicated one database login system with one user entity for all systems. Any way standard integration tools won't help much. By default password is generated as md5('saltpassword').':salt' for CE version. Salt is 2 random alphanumeric characters. – Brennabrennan 8/10, 2012 at 0:5

You can find the encryption key in /app/etc/local.xml. I haven't looked at the user table but my guess would be the hash field is the encrypted password.

Encryption functionality is in Mage_Core_Model_Encryption so if you can gain access to Magento from your IPS board, you could do something similar to:

$password = 'whatever'; //your logic provides this password

require_once('app/Mage.php'); //path to your Magento app/Mage.php
Mage::app(); //we can now use magento functionality

$decrypted = Mage::getModel('core/encryption')->decrypt($password);

You'll need to work out where best to put this logic in order to integrate it, but it's a start at least.

Jolin answered 6/10, 2012 at 8:34 Comment(1)

you won't be able to decrypt customer's password as it's hashed (by default md5 in CE and SHA1 in EE versions). Encryption key is used to encrypt significant data in orders, api keys and third part integration passwords. – Brennabrennan 8/10, 2012 at 0:14

Recommended topics

Hot tags