Feature #1532

Authenticate Passwords Using ZenCart Hashing Scheme

Added by Pavan Rikhi 5 months ago. Updated 28 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Pavan Rikhi% Done:


Category:SecuritySpent time:-
Target version:v0.9.0 - Admin
Easy Pickings:


This will allow us to migrate the website without requiring all users to reset their password.

Migrate over ZenCart's password hashing scheme(see /includes/functions/password_funcs.php).

Add DB columns for the zencart password(or just re-use password column) & password migration status(bool).

When authenticating a user, see if their password has been migrated. If so, use the normal password validation scheme. If their password has not been migrated, attempt to validate their password using the zencart hashing scheme. If it validates correctly, hash the password using the new hashing scheme, & save it to the database while toggling their password migration status. If it does not validate correctly, throw an auth error.

When receiving a successful password reset scheme, make sure the password migration status is correctly set.

 * password_funcs functions 
 * @package functions
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: password_funcs.php 2618 2005-12-20 00:35:47Z drbyte $

// This function validates a plain text password with an encrpyted password
  function zen_validate_password($plain, $encrypted) {
    if (zen_not_null($plain) && zen_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;

    return false;

// This function makes a new password from a plaintext password. 
  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;

Associated revisions

Revision f275f6e5
Added by Pavan Rikhi 28 days ago

[#1532] Try ZenCart Passwords for Initial Logins

Implement ZenCart's password hashing policy in the API server's
loginRoute. It is only attempted if the customerEncryptedPassword field
matches the format of ZenCarts passwords & normal hashing does not
validate the password. If the ZenCart password is valid, the stored
password hash is upgraded to the normally used BCrypt policy.

This keeps us from requiring password resets from all migrated

Closes #1532


#1 Updated by Pavan Rikhi 5 months ago

  • Description updated (diff)

#2 Updated by Pavan Rikhi 5 months ago

Make sure to prefer passwords for customers with non-COWOA accounts when merging customers together in DataMigration script.

#3 Updated by Pavan Rikhi about 1 month ago

  • Target version changed from v1.00.00 - Deployment to v0.9.0 - Admin

#4 Updated by Pavan Rikhi 28 days ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

Also available in: Atom PDF