Convert a password the Magento way

Here’s how to convert passwords from plain text to the alghorithm used by Magento.

This can result useful when you need to import users from an external application which was managing passwords with no encryption.

First of all a bad news: if you want to import encrypted password ( for example MD5 ), if you don’t have a secure reverse lookup DB you won’t be able to import the customers in the Magento store without resetting their password.

So, let’s assume we already imported the customers from magento import tool and they can’t login because their password don’t fit Magento’s way, which is defined this way ( read it as a PHP developer ):

1
md5(salt.password):salt

So, to convert all customers passwords you only need to login into mysql and run a single query:

1
2
mysql -u root -e "UPDATE customer_entity_varchar SET value = CONCAT( MD5(CONCAT('salt', value)), ':salt') WHERE attribute_id = '12'"
-- don't care about my local config ;-)

That’s it!


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.