Announcement

**ericj** · 10-17-11, 02:57 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

OK. I understand one-way encryption but I don't understand why PHP (for example) should not be able to compare a password input by a user and determine if it equals the hash (SHA-1 created with a salt) stored in the miva database just like miva script does. Don't I just need you to tell me how the salt is stored (e.g. part of the hash or in separate field)? Is there some miva documentation you could point me to on how miva's SHA-1 encryption function works?
Thank you,

**wajake41** · 10-17-11, 05:41 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Hi ericj: I would think that the idea of password encryption is to assure the customer that no one can see their password. Not even the store owner. If the store owner is able to un-encrypt the password, then the encryption security of the password is compromised. Why bother encrypting it.
Larry

**ericj** · 10-17-11, 07:57 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Larry, I agree with what you wrote, but just to be clear, I did not ask how to "un-encrypt" (meaning show plain text passwords) the hashed values saved in the DB - that's not practically possible (without a rainbow table). I do hope somebody will tell me how the salt is implemented in Miva.

**burch** · 10-18-11, 06:56 AM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Encrypted passwords have the following format:

SHA1:ssssssssssssssssssssssssssssssssHHHHHHHHHHHHH HHHHHHHHHHHHHHHHHHHHHHHHHHH

Where "s" represents the 16-byte salt value, and H represents the 160-bit SHA1. Both the salt and SHA1 hash are stored in hexidecimal.

So, as a rough psuedocode algorithm to verify a password:

Extract hexidecimal salt from encrypted password and convert from hexidecimal to binary
Prepend entered password with binary salt, resulting in salted password
Generate SHA1 hash of salted password and encode in hexidecimal
Compare hexidecimal generated salt with salt in encrypted password

Hope this helps.

**wajake41** · 10-18-11, 07:03 AM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Hi burch: I assumed that to verify a password, you would encrypt the entered password using the same encryption method as was used for the stored encrypted password, then compare the two values. Not so?

Larry

**burch** · 10-18-11, 07:10 AM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Oops, the last step in my example is incorrect.

It should read:

Compare hexidecimal encoded SHA1 from the salted password with the stored SHA1.

So you are correct.

**ericj** · 10-19-11, 09:32 AM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Thank you for the explanation. And for the clarification...I spent a bit of time yesterday wondering about that last sentence.

In any case, if a php developer reads this string one day and would translate the "rough psuedocode" into php and share, I would appreciate it. It's not clear to me if this is pretty easy in php (using sha1(), bin2hex(), and hex2bin()) or if the hexadecimal to binary and the reverse require something more complicated or different functions.

**burch** · 10-19-11, 03:18 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Eric,

I had one of our developers put together a PHP function for you:

Code:

<?php
    function CustomerEncryption_Action_Customer_Login_Check( $customer_password, $customer_password_inputted )
    {
        $salt = pack( "H*" , substr( $customer_password, 5, 32 ) );
        $customer_sha1 = substr( $customer_password, 37, 40 );
        $salted_password = $salt . $customer_password_inputted;
        if (sha1($salted_password) == $customer_sha1)
        {
            return 1;
        }
        else
        {
            return 0;
        }
    }


echo CustomerEncryption_Action_Customer_Login_Check( 'SHA1:25f3f809fcae20d925a06c38802832d2e222436cb2b96bf4e395d16ff9edfc570ff9050c', 'password' );
echo CustomerEncryption_Action_Customer_Login_Check( 'SHA1:25f3f809fcae20d925a06c38802832d2e222436cb2b96bf4e395d16ff9edfc570ff9050c', 'hi' );
//echo CustomerEncryption_Action_Customer_Login_Check( <MvEVAL EXPR = "{ g.Customer:password }">, <MvEVAL EXPR = "{ g.Customer_Password }">' );
?>

**agenius** · 10-21-11, 01:53 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

we have this running in a store just installed today. however, not able to login using email address. ????
are there any specific instructions to turn that on???

**wajake41** · 10-21-11, 02:23 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Do you have "strict validation" for your store turned off? It must be, to allow using email addresses for login.
Larry

**agenius** · 10-21-11, 02:47 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

thanks. But I did turn it off and still not working.:)

**wajake41** · 10-21-11, 02:51 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

How not working? Can you add a customer using an emaill address? Or after adding a customer with an email address, is it not possible to retrieve the customer recor? Or?

Larry

**agenius** · 10-21-11, 02:59 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

oops, Duh. Thanks for answering me and making me go back to look. I had the wrong email address I was trying to login as. Okay, it does work!

**wajake41** · 10-21-11, 03:01 PM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

It's great when the solution is easy ;)
Larry

**yanping** · 01-09-12, 08:22 AM

Re: Customer Password Encryption and Email Login Module from Miva Merchant Available

Hello, I tried this module and it seems to work fine.

My question is that: Is there a way/setting to convert the "\r\n" in the email to real NewLines?
My email looks like this:
Here is the account information you requested. \r\nPlease return to the store to place your order. If we\r\ncan be of further assistance, please let us know how.\r\n\r\nThank you. https://XXXXXXXXXXXXXXXXXX

Thank you

Announcement

Customer Password Encryption and Email Login Module from Miva Merchant Available FREE

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment