Algorithm used to Encrypt Password when "Hashed" is selected

Posted: May 13, 2016 at 3:01 AM Quote #167551
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: July 15, 2016 at 2:14 PM Quote #171659
I think that making this information public would possibly risk the security of every nopCommerce site....
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: July 15, 2016 at 3:39 PM Quote #171662
yadm_rs wrote:
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.

It's SHA1. You can see the details of the implementation in the EncryptionService source.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Regards, Pete.
Posted: July 16, 2016 at 1:35 PM Quote #171685
petemitch wrote:
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
It's SHA1. You can see the details of the implementation in the EncryptionService source.


If that's the case, I'm guessing that 3.80 or the next version will use SHA256 because everybody, everywhere is dropping support for SHA1...just too hackable.

SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: August 08, 2016 at 6:01 PM Quote #173086
Hello,

I have proposed a future solution for this issue here:
https://www.nopcommerce.com/boards/t/43601/for-review-security-enhancements-for-nopcommerce-390.aspx
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
- c
Posted: August 07, 2018 at 3:18 AM Quote #210228
The nopCommerce 4.1 appears to use SHA512, the value is stored in the settings table under the Name 'customersettings.hashedpasswordformat'.
This post/answer is useful
-1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
www.astrumcs.com
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2019
Learn more