How Zen Cart encrypts passwords:
1. Generate a random number with 100 digits:
e.g.: 1848751306155909551019133583582126298457157391230411931806601506158142207720389212964433351079126741
2. Using md5, encrypt that random number and get the first two characters of that encrypted number:
e.g: 8f
3. Append the two characters at the beginning of user password and encrypt the new text string:
e.g.: using "pwd" as my password...
md5(8fpwd) = 39a9484d3aea5888d6683aa82fc64ba5
4. Recorded the encrypted password, colon, and the two characters generated earlier (the salt):
39a9484d3aea5888d6683aa82fc64ba5:8f
How Zen Cart "decrypts" passwords:
1. Based on user name (email address), get the encrypted password recorded in the database. Separate the encrypted password from the "salt" appended at the end.
2. Append the "salt" to the beginning of the password provided by the client:
8fpwd
3. Encrypt the new string and compare the result with the encrypted password from the database:
e.g.: If md5(8fpwd) equals “39a9484d3aea5888d6683aa82fc64ba5”, allow access.
Note: the password is never decrypted.
No comments:
Post a Comment