Despite efforts from the industry, corporate data leaks from web applications are happening with increasing frequency. A specific implication of these leaks is that they often expose customer password information, potentially compromising the customer’s account not only on the site where the leak occurred but possibly many others, as customers tend to reuse the same password on many different sites.
With this in mind, it is the duty of each merchant and developer to safeguard such customer information.
Magento addresses the security of customer passwords by using the industry standard pattern of storing passwords using a one-way hash. This mechanism does not provide a way to directly retrieve a password from its hash – the only sure way to “unhash” a hash is by brute force (trying every single possible value). Brute forcing is hopefully prohibitively expensive and time-consuming, which ensures the security of hashed passwords.
The effectiveness of Magento’s password hashing relies heavily on the choice of the hashing algorithm. Currently, Community Edition 18.104.22.168 uses MD5, and Enterprise Edition 22.214.171.124 uses SHA256.
While these hashing algorithms are widely used in the industry, they suffer a core design flaw which makes them unsuitable for securing information.
According to PHP password hashing recommendations:
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to “brute force” the output of these algorithms, in order to determine the original input.
Because of how quickly a modern computer can “reverse” these hashing algorithms, many security professionals strongly suggest against their use for password hashing.
Considering how many applications need to securely store passwords, PHP provides a native password hashing and verification API. This API allows developers to easily store and validate passwords without having to research, reimplement, and maintain the wide range of best practice details that are required to truly be secure.
Additionally, this native API is designed to evolve over time – as better hashing algorithms or other best practices are discovered, it can transparently improve its implementation without requiring developers to update code.
Along with other best practices, such as constant time string comparisons, unique salt, etc, the PHP native password API uses the currently recommended bcrypt hashing algorithm. This is designed to change over time, so hash strings produced by the native API include all required information to verify the hash.
PHP native password API hash string example, from PHP password hashing FAQ.
Because of this, a hash string created by the native API is always forward compatible with future versions of the verification API.
The PHP native password hashing API is available in the PHP core since version 5.5.0. Additionally, there is a pure PHP compatibility library for versions of PHP since 5.3.7. Due to a security issue in PHP versions 5.3.6 and below, merchants and developers should upgrade at least to 5.3.7.
In order to improve its password hashing security, I have created a PHP native password hashing API Magento module. The module is compatible with both Commerce Edition and Open Source Edition and includes the native API compatibility library, making it compatible with PHP versions 5.3.7 and above.
This module adds three system configuration options, which can be found in System -> Configuration -> Customers -> Customer Configuration -> Password Options.
This module is liberally licensed and freely available on GitHub: https://github.com/ericthehacker/magento-phpnativepasswords.
It can be easily installed using modman, as described in the installation instructions. As mentioned above, it’s critical to enable the module’s functionality in system configuration after installation.
As always, issues or contributions are welcome!