Using PHP Native Password API with Magento
Using PHP Native Password API with Magento

Using PHP Native Password API with Magento

Published January 15, 2015 in Development
Unravelling Magento’s collectTotals: Invoices and Credit Memos
December 13, 2014
Enhancing User Experience Through Ongoing Optimization
Enhancing User Experience Through Ongoing Optimization
January 26, 2015

Overview

Despite efforts from the industry, corporate data leaks from web applications are happening with increasing frequency. A specific implication of these leaks is that they often expose customer password information, potentially compromising the customer’s account not only on the site where the leak occurred but possibly many others, as customers tend to reuse the same password on many different sites.

With this in mind, it is the duty of each merchant and developer to safeguard such customer information.

 

Magento addresses the security of customer passwords by using the industry standard pattern of storing passwords using a one-way hash. This mechanism does not provide a way to directly retrieve a password from its hash – the only sure way to “unhash” a hash is by brute force (trying every single possible value). Brute forcing is hopefully prohibitively expensive and time-consuming, which ensures the security of hashed passwords.

Problem

The effectiveness of Magento’s password hashing relies heavily on the choice of the hashing algorithm. Currently, Community Edition 1.9.1.0 uses MD5, and Enterprise Edition 1.14.1.0 uses SHA256.

While these hashing algorithms are widely used in the industry, they suffer a core design flaw which makes them unsuitable for securing information.

According to PHP password hashing recommendations:

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to “brute force” the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can “reverse” these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

Solution

Considering how many applications need to securely store passwords, PHP provides a native password hashing and verification API. This API allows developers to easily store and validate passwords without having to research, reimplement, and maintain the wide range of best practice details that are required to truly be secure.

Additionally, this native API is designed to evolve over time – as better hashing algorithms or other best practices are discovered, it can transparently improve its implementation without requiring developers to update code.

Technical details

Along with other best practices, such as constant time string comparisons, unique salt, etc, the PHP native password API uses the currently recommended bcrypt hashing algorithm. This is designed to change over time, so hash strings produced by the native API include all required information to verify the hash.

PHP native password API hash string example, from PHP password hashing FAQ.

Example of PHP native API hash string with breakdown

Because of this, a hash string created by the native API is always forward compatible with future versions of the verification API.

The PHP native password hashing API is available in the PHP core since version 5.5.0. Additionally, there is a pure PHP compatibility library for versions of PHP since 5.3.7. Due to a security issue in PHP versions 5.3.6 and below, merchants and developers should upgrade at least to 5.3.7.

Magento implementation

In order to improve its password hashing security, I have created a PHP native password hashing API Magento module. The module is compatible with both Commerce Edition and Open Source Edition and includes the native API compatibility library, making it compatible with PHP versions 5.3.7 and above.

This module adds three system configuration options, which can be found in System -> Configuration -> Customers -> Customer Configuration -> Password Options.

Screenshot of EW_NativePasswords system configuration options

  • Use PHP Native Password Hashing: this setting fundamentally enables/disables the module. In order to “do no harm”, the module is disabled by default, so it is critical to set this value to Yes in order to upgrade Magento password hashing.
  • Password Hashing Cost: advanced users can adjust this value to possibly improve password hashing security at the cost of server CPU load. The default is appropriate for nearly all sites.
  • Rehash Legacy Passwords: this setting allows Magento to upgrade password hashes which were created using legacy hashing algorithms. When a customer or admin successfully authenticates using a password with an unsuitable hash, the password will be rehashed using the native API. In order to “do no harm”, this functionality is disabled by default, but it should be set to Yes to begin to retroactively upgrade the site’s password hash database.

Where to get it

This module is liberally licensed and freely available on GitHub: https://github.com/ericthehacker/magento-phpnativepasswords.

It can be easily installed using modman, as described in the installation instructions. As mentioned above, it’s critical to enable the module’s functionality in system configuration after installation.

As always, issues or contributions are welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Recent PostsView all
October 15, 2021

Classy Llama Wins 2021 Comparably Awards for Best Perks&Benefits, Best Work-Life Balance

Classy Llama, Springfield’s only full-service eCommerce agency, has been placed on the top 50 list for Comparably.com’s Best Perks&Benefits Award, as well as their Best Work-Life […]
September 15, 2021

Classy Llama Awarded #3 Best Place to Work by Biz417

Springfield, MO — Classy Llama has been awarded the number 3 spot on the Biz417 Best Places to Work Top 20 for 2021.  This award is […]
September 13, 2021

2021 Instagram Changes: What you need to know for eCommerce Marketing

What’s Going On With Instagram in 2021? The Head of Instagram, Adam Mosseri, announced in summer 2021 that big changes are coming to the platform sometime […]