Re: Using OSCommerce Encrypted Password in OfBiz

Thu, 01 Nov 2007 08:12:14 -0800

Check the length of the password hash in osCommerce. It could be 35 characters, 2 characters longer than MD5's 32 (with a ":" in between).
Next, look into osCommerce password-generating codes. I believe osCommerce password hashes are salted. 


There's no way you can easily reverse-engineer those salted hashes into 
plain MD5 hashes. That's the whole point of salting! To prevent an easy 
dictionary attack.



(Note that the salt has to be added BEFORE the MD5 hashing, or you'll 
end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In 
that case, you can just chop off the appended unmixed salt and do a 
dictionary attack. I don't think the osCommerce salting is that silly. 
So, remember the simple cooking rule. Salt to taste, and mix well!)



If you have tons of money and loads of clustered computers, you could 
attempt to undo those salted hashes. Or... if you have a quantum 
computer... who knows? :)


Jonathon

Jacques Le Roux wrote:

AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps 
OScommerce MD5 is salted (or the peculiar data that you
import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though)

Jacques


----- Message d'origine ----- 
De : "Vince M. Clark" <[EMAIL PROTECTED]>

À : "user" <user@ofbiz.apache.org>
Envoyé : jeudi 1 novembre 2007 14:57
Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz



  

Originally posted on dev.

Follow up question to Joel's original post. Do any of you security or 
encryption gurus out there know if pw's encrypted using MD5

    

in osCommerce should "automagically" work using MD5 encryption in OfBiz?

  

We imported the encrypted pw and switched security.properties to use MD5 
instead of SHA. The pw's do not work.

Vince Clark
Global Era
The Freedom of Open Source
[EMAIL PROTECTED]
(303) 493-6723


----- Forwarded Message ----- 
From: "Jacques Le Roux" <[EMAIL PROTECTED]>

To: [EMAIL PROTECTED]
Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua
Subject: Re: Using OSCommerce Encrypted Password in OfBiz

Please use user ML for such questions 
http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists

Check password.encrypt.hash.type in security.properties, it's SHA by default

Jacques

De : "Joel Blouin" <[EMAIL PROTECTED]>

    

We have over 60000 customers in OSCommerce that we imported into OfBiz along
with their existing MD5 encrypted passwords, so they can login with their
current password. The import was the easy part. We configured OfBiz to
use the same salt and MD5 encryption as OSCommerce, but the passwords do not
work. What did we miss? Any guidance on this is greatly appreciated.



Thanks,

Joel





      




  
























					Reply via email to