Feature #1532

Authenticate Passwords Using ZenCart Hashing Scheme

Added by Pavan Rikhi 25 days ago. Updated 19 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:Pavan Rikhi% Done:


Category:SecuritySpent time:-
Target version:v1.0.0 - Deployment
Easy Pickings:


This will allow us to migrate the website without requiring all users to reset their password.

Migrate over ZenCart's password hashing scheme(see /includes/functions/password_funcs.php).

Add DB columns for the zencart password(or just re-use password column) & password migration status(bool).

When authenticating a user, see if their password has been migrated. If so, use the normal password validation scheme. If their password has not been migrated, attempt to validate their password using the zencart hashing scheme. If it validates correctly, hash the password using the new hashing scheme, & save it to the database while toggling their password migration status. If it does not validate correctly, throw an auth error.

When receiving a successful password reset scheme, make sure the password migration status is correctly set.

 * password_funcs functions 
 * @package functions
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: password_funcs.php 2618 2005-12-20 00:35:47Z drbyte $

// This function validates a plain text password with an encrpyted password
  function zen_validate_password($plain, $encrypted) {
    if (zen_not_null($plain) && zen_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;

    return false;

// This function makes a new password from a plaintext password. 
  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;


#1 Updated by Pavan Rikhi 24 days ago

  • Description updated (diff)

#2 Updated by Pavan Rikhi 19 days ago

Make sure to prefer passwords for customers with non-COWOA accounts when merging customers together in DataMigration script.

Also available in: Atom PDF