Customer Passwords

[MunchSoft]

I was wondering what type of encryption is used on the customer passwords. I am trying to setup a seperate reseller web site which I am using ColdFusion to code. I usually use the mysql PASSWORD function to encrypt my passwords. Does anyone have any insight on this?

Thanks!

- James

[DrByte]

Zen Cart encryption uses MD5+SALT... you can see the logic in the includes/functions/password_funcs.php file in case you need to re-use that intelligence to keep passwords sync'd using same encryption methods

[MunchSoft]

I'm basically needing to read the password information from that file to authenticate a user on a different subdomain. I'm not proficient in PHP as I am in ColdFusion. So I am writing my new script in CF. I need to be able to authenticate the users using the zen database and passwords. Is this going to be possible?

[DrByte]

If you use the same logic that Zen Cart uses, translating the code into CF syntax, you'll be fine.

[MunchSoft]

Where would I find the key that is used to encrypt/decrypt the passwords?

[DrByte]

Where would I find the key that is used to encrypt/decrypt the passwords?

The answer is here:

Zen Cart encryption uses MD5+SALT... you can see the logic in the includes/functions/password_funcs.php file in case you need to re-use that intelligence to keep passwords sync'd using same encryption methods

- retrieve the password from the database
- pass the typed-in-password and the retrieved password to the zen_validate_password() function. It'll compare them and return a result.
- if it returns true, it's a match.

[MunchSoft]

What type of encryption is used to decrypt the password? I'm not using PHP on my other web site so I have to decrypt it using coldfusion, not php. And I don't know PHP very well so its mostly all foreign to me.

Here is what my code requires:

[FONT=Verdana, MS Sans Serif,arial,helvetica]<!--- First hash it --->
<cfset thePass = hash(password) />

<!--- now salt it -->
<cfset thePass = Encrypt(thePass, 'AKEY', 'YOUNEEDTHEALGORYTHHERE', IVorSalt) />
[/FONT]

[MunchSoft]

I was told to ask what algorithm is used to encrypt (AES, DES, etc.) and what type of salt is being used for passwords? That would greatly help!

[DrByte]

There is no "key" per se.

As I mentioned, all the logic for Zen Cart passwords is in the password_funcs.php file.

You can look it up in the file just as easily as I can paste it here. Granted, since your questions are still asking the same thing and you don't seem to be looking in the direction I'm sending you, about all I can do further is paste it here ... so ...

To encrypt a password, call this function, passing the plaintext password to it. This is ONLY needed if you're preparing to save TO the database:

Code:

  function zen_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= zen_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

If you're reading FROM the database and want to validate a password, you pass the typed password and the encrypted password from the database to this function:

Code:

  function zen_validate_password($plain, $encrypted) {
    if (zen_not_null($plain) && zen_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;

      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
      }
    }

    return false;
  }

THERE IS NO "decrypt" CAPABILITY FOR THESE PASSWORDS.

[MunchSoft]

http://easycfm.com/forums/viewmessag...12&Topic=10553

Could you take a look at the forum where we're discussing this on the ColdFusion Side? Since I'm using coldfusion to validate the password against the hashed and salted password in the zen cart database, I guess I would need to know how the encrypted password is created. As far as which encryption method is used? Please remember I'm very foreign to PHP as a whole. If you need to ask me anything to understand what I need, please let me know as I am anxious to get the logins created for this project

Thanks!

James Munch
MunchSoft