I want to tie the nopCommerce login system into our existing site login process. In order to do this, I need to be able to decrypte the customer password that is stored in the nopCommerce customer database. Has anyone done this before?
I have been studying the nopCommerce source code for a few days and I cannot find any example of decrypting the password back to plain text. It looks like all password comparisons are done by encrypting the password from the login form and then comaring that to the encrypted password stored on the database.
If someone has done this and could send me the sample code to do it, I would really appreciate it.
Thanks,
Gary
Decrypting the Customer Password
- 1
- 2
- 657
- 7576
- 2011/08/10
- United States
SwimmingWorld wrote:
Hi Gary,
What version of nopCommerce are you using? How long have you been allowing users to register on your nopCommerce site?
nopCommerce 2.x
You can configure nopCommerce to store passwords in plain text in the administration section. Without extensive research I'm not sure of a way to decrypt all passwords for previously registered users (without custom coding), but going forward passwords would be stored in plain text.
I want to tie the nopCommerce login system into our existing site login process. In order to do this, I need to be able to decrypte the customer password that is stored in the nopCommerce customer database. Has anyone done this before?
I have been studying the nopCommerce source code for a few days and I cannot find any example of decrypting the password back to plain text. It looks like all password comparisons are done by encrypting the password from the login form and then comaring that to the encrypted password stored on the database.
If someone has done this and could send me the sample code to do it, I would really appreciate it.
Thanks,
Gary
I have been studying the nopCommerce source code for a few days and I cannot find any example of decrypting the password back to plain text. It looks like all password comparisons are done by encrypting the password from the login form and then comaring that to the encrypted password stored on the database.
If someone has done this and could send me the sample code to do it, I would really appreciate it.
Thanks,
Gary
Hi Gary,
What version of nopCommerce are you using? How long have you been allowing users to register on your nopCommerce site?
nopCommerce 2.x
You can configure nopCommerce to store passwords in plain text in the administration section. Without extensive research I'm not sure of a way to decrypt all passwords for previously registered users (without custom coding), but going forward passwords would be stored in plain text.
MVP
シルバーソリューションパートナー
- 5236
- 49495
- 2010/10/04
- Mexico
SwimmingWorld wrote:
Another way to do it is to copy the encrypted password into your own site and there do the same encrypting the password from the login form and then comparing that to the encrypted password stored on the database
I want to tie the nopCommerce login system into our existing site login process. In order to do this, I need to be able to decrypte the customer password that is stored in the nopCommerce customer database. Has anyone done this before?
I have been studying the nopCommerce source code for a few days and I cannot find any example of decrypting the password back to plain text. It looks like all password comparisons are done by encrypting the password from the login form and then comaring that to the encrypted password stored on the database.
If someone has done this and could send me the sample code to do it, I would really appreciate it.
Thanks,
Gary
I have been studying the nopCommerce source code for a few days and I cannot find any example of decrypting the password back to plain text. It looks like all password comparisons are done by encrypting the password from the login form and then comaring that to the encrypted password stored on the database.
If someone has done this and could send me the sample code to do it, I would really appreciate it.
Thanks,
Gary
Another way to do it is to copy the encrypted password into your own site and there do the same encrypting the password from the login form and then comparing that to the encrypted password stored on the database
- 157
- 901
- 2011/08/18
- United States
I am using version 2.0. I am OK with storing the password as plain text but could not find out how to do this without also having it store credit card numbers in plain text. If passwords can be stored in plain text while still encrypting credit card numbers that would be OK.
I don't want to use encrypted passwords on our existing login system because we already have a lot of customers on that database and the passwords are plain text.
Encryption is not required for passwords either in nopCommerce or our existing login system. However, we want credit card numbers to be encrypted.
If you can tell me which setting in v2.0 will allow me to encrypt credit card numbers but NOT encrypt passwords that would work.
Thanks,
Gary
I don't want to use encrypted passwords on our existing login system because we already have a lot of customers on that database and the passwords are plain text.
Encryption is not required for passwords either in nopCommerce or our existing login system. However, we want credit card numbers to be encrypted.
If you can tell me which setting in v2.0 will allow me to encrypt credit card numbers but NOT encrypt passwords that would work.
Thanks,
Gary
- 657
- 7576
- 2011/08/10
- United States
SwimmingWorld wrote:
I apologize for misleading you. The configuration I saw was for the type of encryption used. Currently the form of the stored password is not configurable, but the changes required appear to be small.
Everywhere the class ChangePasswordRequest is used should send the password format as clear. The class CustomerRegistrationRequest needs a similar change.
When I performed a find usages there was only a couple places where they are used. Let me know if you need more guidance.
I am using version 2.0. I am OK with storing the password as plain text but could not find out how to do this without also having it store credit card numbers in plain text. If passwords can be stored in plain text while still encrypting credit card numbers that would be OK.
I don't want to use encrypted passwords on our existing login system because we already have a lot of customers on that database and the passwords are plain text.
Encryption is not required for passwords either in nopCommerce or our existing login system. However, we want credit card numbers to be encrypted.
If you can tell me which setting in v2.0 will allow me to encrypt credit card numbers but NOT encrypt passwords that would work.
Thanks,
Gary
I don't want to use encrypted passwords on our existing login system because we already have a lot of customers on that database and the passwords are plain text.
Encryption is not required for passwords either in nopCommerce or our existing login system. However, we want credit card numbers to be encrypted.
If you can tell me which setting in v2.0 will allow me to encrypt credit card numbers but NOT encrypt passwords that would work.
Thanks,
Gary
I apologize for misleading you. The configuration I saw was for the type of encryption used. Currently the form of the stored password is not configurable, but the changes required appear to be small.
Everywhere the class ChangePasswordRequest is used should send the password format as clear. The class CustomerRegistrationRequest needs a similar change.
When I performed a find usages there was only a couple places where they are used. Let me know if you need more guidance.
- 657
- 7576
- 2011/08/10
- United States
SwimmingWorld wrote:
Like I mentioned in my last post it is not configurable. I thought it was, but I was mistaken. The setting I saw is used to determine the hashing algorithm not the form in which it is stored (e.g. it is always hashed). To store passwords in clear text you need to make code changes. Investigate the classes and their usages I mentioned in my previous post to get a better idea of what needs to change to store passwords in clear text.
Can you tell me where the admin setting is that allows me to store customer passwords in plain text?
Like I mentioned in my last post it is not configurable. I thought it was, but I was mistaken. The setting I saw is used to determine the hashing algorithm not the form in which it is stored (e.g. it is always hashed). To store passwords in clear text you need to make code changes. Investigate the classes and their usages I mentioned in my previous post to get a better idea of what needs to change to store passwords in clear text.
- 657
- 7576
- 2011/08/10
- United States
SwimmingWorld wrote:
The code definitely supports changing how passwords are stored it doesn't appear to be configurable without writing new code though. I copied the code below from the registration controller as you can see it is hard coded that when new users register their passwords are hashed.
It says here that in v2.0 the password in configurable.
https://www.nopcommerce.com/boards/t/10184/password-decrypt-for-partner-api-implementation.aspx#52353
https://www.nopcommerce.com/boards/t/10184/password-decrypt-for-partner-api-implementation.aspx#52353
The code definitely supports changing how passwords are stored it doesn't appear to be configurable without writing new code though. I copied the code below from the registration controller as you can see it is hard coded that when new users register their passwords are hashed.
bool isApproved = _customerSettings.UserRegistrationType == UserRegistrationType.Standard;
var registrationRequest = new CustomerRegistrationRequest(customer, model.Email,
_customerSettings.UsernamesEnabled ? model.Username : model.Email, model.Password, PasswordFormat.Hashed, isApproved);
var registrationResult = _customerService.RegisterCustomer(registrationRequest);
- 1
- 2