Algorithm used to Encrypt Password when "Hashed" is selected

3 years ago
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
3 years ago
I think that making this information public would possibly risk the security of every nopCommerce site....
3 years ago
yadm_rs wrote:
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.

It's SHA1. You can see the details of the implementation in the EncryptionService source.
3 years ago
petemitch wrote:
Is there any official documentation with this information?

The Algorithm used to encrypt the Password field when the PasswordFormat = Hashed.
It's SHA1. You can see the details of the implementation in the EncryptionService source.


If that's the case, I'm guessing that 3.80 or the next version will use SHA256 because everybody, everywhere is dropping support for SHA1...just too hackable.

SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
3 years ago
Hello,

I have proposed a future solution for this issue here:
https://www.nopcommerce.com/boards/t/43601/for-review-security-enhancements-for-nopcommerce-390.aspx
1 year ago
The nopCommerce 4.1 appears to use SHA512, the value is stored in the settings table under the Name 'customersettings.hashedpasswordformat'.