Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's.
David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. Vince Clark Global Era The Freedom of Open Source [EMAIL PROTECTED] (303) 493-6723 ----- Original Message ----- From: "Jonathon -- Improov" <[EMAIL PROTECTED]> To: user@ofbiz.apache.org Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz Vince, You could refactor the "password generating and checking" portions of OFBiz into a pluggable structure, so that you can plug-in any custom methods for password handling. Yes, it is possible to use the same salt and same hashes in OFBiz. Just make sure you plug-in the password handling algo that is also used in osCommerce. You still won't be able to know what passwords those hashes translates to. But your users (who entered those passwords) will know those passwords. If they enter those passwords into OFBiz, and your OFBiz has the correct password handling plug-in, OFBiz will be able to recognize those passwords entered. Jonathon Vince M. Clark wrote: > pw has a : with two more characters. So it is salted. > > Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it > as simple as bring over a key or is there code to write? > > Vince Clark > Global Era > The Freedom of Open Source > [EMAIL PROTECTED] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[EMAIL PROTECTED]> > To: user@ofbiz.apache.org > Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Check the length of the password hash in osCommerce. It could be 35 > characters, 2 characters longer than MD5's 32 (with a ":" in between). > > Next, look into osCommerce password-generating codes. I believe > osCommerce password hashes are salted. > > There's no way you can easily reverse-engineer those salted hashes into > plain MD5 hashes. That's the whole point of salting! To prevent an easy > dictionary attack. > > (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > that case, you can just chop off the appended unmixed salt and do a > dictionary attack. I don't think the osCommerce salting is that silly. > So, remember the simple cooking rule. Salt to taste, and mix well!) > > If you have tons of money and loads of clustered computers, you could > attempt to undo those salted hashes. Or... if you have a quantum > computer... who knows? :) > > Jonathon > > Jacques Le Roux wrote: > >> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps >> OScommerce MD5 is salted (or the peculiar data that you >> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >> >> Jacques >> >> ----- Message d'origine ----- >> De : "Vince M. Clark" <[EMAIL PROTECTED]> >> À : "user" <user@ofbiz.apache.org> >> Envoyé : jeudi 1 novembre 2007 14:57 >> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >> >> >> >> >>> Originally posted on dev. >>> >>> Follow up question to Joel's original post. Do any of you security or >>> encryption gurus out there know if pw's encrypted using MD5 >>> >>> >> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >> >> >>> We imported the encrypted pw and switched security.properties to use MD5 >>> instead of SHA. The pw's do not work. >>> >>> Vince Clark >>> Global Era >>> The Freedom of Open Source >>> [EMAIL PROTECTED] >>> (303) 493-6723 >>> >>> ----- Forwarded Message ----- >>> From: "Jacques Le Roux" <[EMAIL PROTECTED]> >>> To: [EMAIL PROTECTED] >>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>> >>> Please use user ML for such questions >>> http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>> >>> Check password.encrypt.hash.type in security.properties, it's SHA by >>> default >>> >>> Jacques >>> >>> De : "Joel Blouin" <[EMAIL PROTECTED]> >>> >>> >>>> We have over 60000 customers in OSCommerce that we imported into OfBiz >>>> along >>>> with their existing MD5 encrypted passwords, so they can login with their >>>> current password. The import was the easy part. We configured OfBiz to >>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do >>>> not >>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Joel >>>> >>>> >>>> >>>> >>>> >>>> >> >> > > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 > 6:47 PM >
