Which Algorithm is used by Magento 2.x / Adobe commerce 2.x for Password Hashing

Posted on by John

As we know Magento 1 generated hash by md5(salt + password) and save in database with the following below format

1 colon like

 $password-hash : $salt

Magento 2.x / Adobe Commerce 2.x has changed logic and logic has been written in file path as below


vendor/magento/framework/Encryption/Encryptor.php

Magento 2.x / Adobe Commerce 2.x generate hash like hash(‘sha256’, $salt . $password); and save with 2 colons in database with the following below format

2 colon like

$password-hash : $salt: $version

If you have upgraded Magento 1 into Magento 2.x & can not able to do convert Magento 1 Database password to Magento 2.x Database password , The following below things need to do.

Nee to override Encryptor class via di.xml with some private functions in your custom module to extends Vendor\Magento\Framework\Encryption\Encryptor.php

<?php

/**
* Class Encryptor provides basic logic for hashing strings and encrypting/decrypting misc data
*/
class Encryptor extends \Magento\Framework\Encryption\Encryptor
{
/**
* @var array map of hash versions
*/
private $hashVersionMap = [
self::HASH_VERSION_MD5 => 'md5',
self::HASH_VERSION_SHA256 => 'sha256'
];
/**
* @var array map of password hash
*/
private $passwordHashMap = [
self::PASSWORD_HASH => '',
self::PASSWORD_SALT => '',
self::PASSWORD_VERSION => self::HASH_VERSION_LATEST
];
/**
* @param string $hash
* @return array
*/
private function explodePasswordHash($hash)
{
$explodedPassword = explode(self::DELIMITER, $hash, 3);
foreach ($this->passwordHashMap as $key => $defaultValue) {
$this->passwordHashMap[$key] = (isset($explodedPassword[$key])) ? $explodedPassword[$key] : $defaultValue;
}
return $this->passwordHashMap;
}
/**
* @return string
*/
private function getPasswordHash()
{
return (string)$this->passwordHashMap[self::PASSWORD_HASH];
}
/**
* @return string
*/
private function getPasswordSalt()
{
return (string)$this->passwordHashMap[self::PASSWORD_SALT];
}
/**
* @return array
*/
private function getPasswordVersion()
{
return array_map('intval', explode(self::DELIMITER, $this->passwordHashMap[self::PASSWORD_VERSION]));
}
    /**
     * @inheritdoc
     */
    public function isValidHash($password, $hash)
    {
        $this->explodePasswordHash($hash);
        
        $hashs = explode(":", $hash);
        if(count($hashs) == 2){
         $password = md5($this->getPasswordSalt() . $password);
        }
        else{
         foreach ($this->getPasswordVersion() as $hashVersion) {
         $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion);
         }
        }
        
        //print $password . " ". $this->getPasswordHash(); die;
 
        return Security::compareStrings(
            $password,
            $this->getPasswordHash()
        );
    }
}

 ?>

Leave a Reply

Your email address will not be published. Required fields are marked *