Importing MD5+Salt Passwords to MD5

Ibn Saeed picture Ibn Saeed · Jul 10, 2009 · Viewed 7.6k times · Source

I'm moving my site from an oscommerce store to a commercial application.

The new application stores its passwords using straight MD5 encryption. Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.

Here is what someone posted on a forum:

The two characters added are for creating the hash in such way that
hash=md5(twocharactersPlainPassword)
ie: 2letters: 74
Plain Password: PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74


Here is the code how Oscommerce encrypts the password:

// This function makes a new password from a plaintext password.
function tep_encrypt_password($plain) {
  $password = '';

  for ($i=0; $i<10; $i++) {
    $password .= tep_rand();
  }

  $salt = substr(md5($password), 0, 2);
  $password = md5($salt . $plain) . ':' . $salt;

  return $password;
}

// This funstion validates a plain text password with an encrypted password
function tep_validate_password($plain, $encrypted) {
  if (tep_not_null($plain) && tep_not_null($encrypted)) {
    // split apart the hash / salt
    $stack = explode(':', $encrypted);

    if (sizeof($stack) != 2) {
      return false;
    }

    if (md5($stack[1] . $plain) == $stack[0]) {
      return true;
    }
  }

  return false;
}

Here is how my new cart encrypts the password:

if ($admin_password_encrypt == 1) {
    $password_match = md5($password);
} else {
    $password_match = $password;
}

Is there any possible way of importing customer passwords from my oscommerce cart to my new cart.

Answer

Greg Hewgill picture Greg Hewgill · Jul 10, 2009

It appears that you have the source code for your new cart. Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.

The answer to your question is no, there is no way of converting the passwords.