Announcement

Collapse
No announcement yet.

Customer Password Encryption and Email Login Module from Miva Merchant Available FREE

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

    OK. I understand one-way encryption but I don't understand why PHP (for example) should not be able to compare a password input by a user and determine if it equals the hash (SHA-1 created with a salt) stored in the miva database just like miva script does. Don't I just need you to tell me how the salt is stored (e.g. part of the hash or in separate field)? Is there some miva documentation you could point me to on how miva's SHA-1 encryption function works?
    Thank you,

    Comment


      #17
      Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

      Hi ericj: I would think that the idea of password encryption is to assure the customer that no one can see their password. Not even the store owner. If the store owner is able to un-encrypt the password, then the encryption security of the password is compromised. Why bother encrypting it.
      Larry
      Larry
      Luce Kanun Web Design
      www.facebook.com/wajake41
      www.plus.google.com/116415026668025242914/posts?hl=en


      Comment


        #18
        Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

        Larry, I agree with what you wrote, but just to be clear, I did not ask how to "un-encrypt" (meaning show plain text passwords) the hashed values saved in the DB - that's not practically possible (without a rainbow table). I do hope somebody will tell me how the salt is implemented in Miva.

        Comment


          #19
          Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

          Encrypted passwords have the following format:

          SHA1:ssssssssssssssssssssssssssssssssHHHHHHHHHHHHH HHHHHHHHHHHHHHHHHHHHHHHHHHH

          Where "s" represents the 16-byte salt value, and H represents the 160-bit SHA1. Both the salt and SHA1 hash are stored in hexidecimal.

          So, as a rough psuedocode algorithm to verify a password:

          Extract hexidecimal salt from encrypted password and convert from hexidecimal to binary
          Prepend entered password with binary salt, resulting in salted password
          Generate SHA1 hash of salted password and encode in hexidecimal
          Compare hexidecimal generated salt with salt in encrypted password

          Hope this helps.

          Comment


            #20
            Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

            Hi burch: I assumed that to verify a password, you would encrypt the entered password using the same encryption method as was used for the stored encrypted password, then compare the two values. Not so?

            Larry
            Larry
            Luce Kanun Web Design
            www.facebook.com/wajake41
            www.plus.google.com/116415026668025242914/posts?hl=en


            Comment


              #21
              Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

              Oops, the last step in my example is incorrect.

              It should read:

              Compare hexidecimal encoded SHA1 from the salted password with the stored SHA1.

              So you are correct.

              Comment


                #22
                Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                Thank you for the explanation. And for the clarification...I spent a bit of time yesterday wondering about that last sentence.

                In any case, if a php developer reads this string one day and would translate the "rough psuedocode" into php and share, I would appreciate it. It's not clear to me if this is pretty easy in php (using sha1(), bin2hex(), and hex2bin()) or if the hexadecimal to binary and the reverse require something more complicated or different functions.

                Comment


                  #23
                  Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                  Eric,

                  I had one of our developers put together a PHP function for you:

                  Code:
                  <?php
                      function CustomerEncryption_Action_Customer_Login_Check( $customer_password, $customer_password_inputted )
                      {
                          $salt = pack( "H*" , substr( $customer_password, 5, 32 ) );
                          $customer_sha1 = substr( $customer_password, 37, 40 );
                          $salted_password = $salt . $customer_password_inputted;
                          if (sha1($salted_password) == $customer_sha1)
                          {
                              return 1;
                          }
                          else
                          {
                              return 0;
                          }
                      }
                  
                  
                  echo CustomerEncryption_Action_Customer_Login_Check( 'SHA1:25f3f809fcae20d925a06c38802832d2e222436cb2b96bf4e395d16ff9edfc570ff9050c', 'password' );
                  echo CustomerEncryption_Action_Customer_Login_Check( 'SHA1:25f3f809fcae20d925a06c38802832d2e222436cb2b96bf4e395d16ff9edfc570ff9050c', 'hi' );
                  //echo CustomerEncryption_Action_Customer_Login_Check( <MvEVAL EXPR = "{ g.Customer:password }">, <MvEVAL EXPR = "{ g.Customer_Password }">' );
                  ?>

                  Comment


                    #24
                    Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                    we have this running in a store just installed today. however, not able to login using email address. ????
                    are there any specific instructions to turn that on???
                    Suzanne

                    __________________________________________________ _______

                    aGenius Marketing
                    800-768-2693
                    Web Design & e-Commerce
                    __________________________________________________ _______

                    Comment


                      #25
                      Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                      Do you have "strict validation" for your store turned off? It must be, to allow using email addresses for login.
                      Larry
                      Larry
                      Luce Kanun Web Design
                      www.facebook.com/wajake41
                      www.plus.google.com/116415026668025242914/posts?hl=en


                      Comment


                        #26
                        Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                        thanks. But I did turn it off and still not working.:)
                        Suzanne

                        __________________________________________________ _______

                        aGenius Marketing
                        800-768-2693
                        Web Design & e-Commerce
                        __________________________________________________ _______

                        Comment


                          #27
                          Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                          How not working? Can you add a customer using an emaill address? Or after adding a customer with an email address, is it not possible to retrieve the customer recor? Or?

                          Larry
                          Larry
                          Luce Kanun Web Design
                          www.facebook.com/wajake41
                          www.plus.google.com/116415026668025242914/posts?hl=en


                          Comment


                            #28
                            Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                            oops, Duh. Thanks for answering me and making me go back to look. I had the wrong email address I was trying to login as. Okay, it does work!
                            Suzanne

                            __________________________________________________ _______

                            aGenius Marketing
                            800-768-2693
                            Web Design & e-Commerce
                            __________________________________________________ _______

                            Comment


                              #29
                              Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                              It's great when the solution is easy ;)
                              Larry
                              Larry
                              Luce Kanun Web Design
                              www.facebook.com/wajake41
                              www.plus.google.com/116415026668025242914/posts?hl=en


                              Comment


                                #30
                                Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

                                Hello, I tried this module and it seems to work fine.

                                My question is that: Is there a way/setting to convert the "\r\n" in the email to real NewLines?
                                My email looks like this:
                                Here is the account information you requested. \r\nPlease return to the store to place your order. If we\r\ncan be of further assistance, please let us know how.\r\n\r\nThank you. https://XXXXXXXXXXXXXXXXXX

                                Thank you

                                Comment

                                Working...
                                X