Thanks BJ. That is plan "B". Vince Clark Global Era The Freedom of Open Source [EMAIL PROTECTED] (303) 493-6723
----- Original Message ----- From: "BJ Freeman" <[EMAIL PROTECTED]> To: user@ofbiz.apache.org Sent: Monday, November 5, 2007 1:32:08 PM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz I know this is a left handed way to accomplish this. If you have a one time service that send emails with a new temporary password then have the update their password as a security measure you might save your self a lot of trouble. Vince M. Clark sent the following on 11/5/2007 11:05 AM: > Jonathon, thanks for your reply. This is consistent with what Hans has told > me. We would need to plug in the osCommerce C library if we want to use > existing osCommerce pw's. > > David - I think your recommendation doesn't take this into consideration. We > MUST be able to use existing osCommerce pw's. According to Jonathon's follow > up to this post we would still have to "plug in" the osCommerce encryption > algorithm in order to use any pw's already encrypted from osCommerce. I > believe your solution would only address using MD5 for encrypting new values. > So it still doesn't address our issue of moving users (50,000+) to a new > system. > > Is this correct, or are you suggesting the changes you outlined would also > work with existing encrypted pw's from osCommerce. > > Vince Clark > Global Era > The Freedom of Open Source > [EMAIL PROTECTED] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[EMAIL PROTECTED]> > To: user@ofbiz.apache.org > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Vince, > > You could refactor the "password generating and checking" portions of > OFBiz into a pluggable structure, so that you can plug-in any custom > methods for password handling. > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > make sure you plug-in the password handling algo that is also used in > osCommerce. > > You still won't be able to know what passwords those hashes translates > to. But your users (who entered those passwords) will know those > passwords. If they enter those passwords into OFBiz, and your OFBiz has > the correct password handling plug-in, OFBiz will be able to recognize > those passwords entered. > > Jonathon > > Vince M. Clark wrote: >> pw has a : with two more characters. So it is salted. >> >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is >> it as simple as bring over a key or is there code to write? >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [EMAIL PROTECTED] >> (303) 493-6723 >> >> ----- Original Message ----- >> From: "Jonathon -- Improov" <[EMAIL PROTECTED]> >> To: user@ofbiz.apache.org >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Check the length of the password hash in osCommerce. It could be 35 >> characters, 2 characters longer than MD5's 32 (with a ":" in between). >> >> Next, look into osCommerce password-generating codes. I believe >> osCommerce password hashes are salted. >> >> There's no way you can easily reverse-engineer those salted hashes into >> plain MD5 hashes. That's the whole point of salting! To prevent an easy >> dictionary attack. >> >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In >> that case, you can just chop off the appended unmixed salt and do a >> dictionary attack. I don't think the osCommerce salting is that silly. >> So, remember the simple cooking rule. Salt to taste, and mix well!) >> >> If you have tons of money and loads of clustered computers, you could >> attempt to undo those salted hashes. Or... if you have a quantum >> computer... who knows? :) >> >> Jonathon >> >> Jacques Le Roux wrote: >> >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps >>> OScommerce MD5 is salted (or the peculiar data that you >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >>> >>> Jacques >>> >>> ----- Message d'origine ----- >>> De : "Vince M. Clark" <[EMAIL PROTECTED]> >>> À : "user" <user@ofbiz.apache.org> >>> Envoyé : jeudi 1 novembre 2007 14:57 >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >>> >>> >>> >>> >>>> Originally posted on dev. >>>> >>>> Follow up question to Joel's original post. Do any of you security or >>>> encryption gurus out there know if pw's encrypted using MD5 >>>> >>>> >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >>> >>> >>>> We imported the encrypted pw and switched security.properties to use MD5 >>>> instead of SHA. The pw's do not work. >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [EMAIL PROTECTED] >>>> (303) 493-6723 >>>> >>>> ----- Forwarded Message ----- >>>> From: "Jacques Le Roux" <[EMAIL PROTECTED]> >>>> To: [EMAIL PROTECTED] >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>> >>>> Please use user ML for such questions >>>> http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>>> >>>> Check password.encrypt.hash.type in security.properties, it's SHA by >>>> default >>>> >>>> Jacques >>>> >>>> De : "Joel Blouin" <[EMAIL PROTECTED]> >>>> >>>> >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz >>>>> along >>>>> with their existing MD5 encrypted passwords, so they can login with their >>>>> current password. The import was the easy part. We configured OfBiz to >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do >>>>> not >>>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joel >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >> >> >> ------------------------------------------------------------------------ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 >> 6:47 PM >> > >
