Overview
Despite efforts from the industry, corporate data leaks from web applications are happening with increasing frequency. A specific implication of these leaks is that they often expose customer password information, potentially compromising the customer’s account not only on the site where the leak occurred but possibly many others, as customers tend to reuse the same password on many different sites.
With this in mind, it is the duty of each merchant and developer to safeguard such customer information.
Magento addresses the security of customer passwords by using the industry standard pattern of storing passwords using a one-way hash. This mechanism does not provide a way to directly retrieve a password from its hash – the only sure way to “unhash” a hash is by brute force (trying every single possible value). Brute forcing is hopefully prohibitively expensive and time-consuming, which ensures the security of hashed passwords.
Problem
The effectiveness of Magento’s password hashing relies heavily on the choice of the hashing algorithm. Currently, Community Edition 1.9.1.0 uses MD5, and Enterprise Edition 1.14.1.0 uses SHA256.
While these hashing algorithms are widely used in the industry, they suffer a core design flaw which makes them unsuitable for securing information.
According to PHP password hashing recommendations:
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to “brute force” the output of these algorithms, in order to determine the original input.
Because of how quickly a modern computer can “reverse” these hashing algorithms, many security professionals strongly suggest against their use for password hashing.
Solution
Considering how many applications need to securely store passwords, PHP provides a native password hashing and verification API. This API allows developers to easily store and validate passwords without having to research, reimplement, and maintain the wide range of best practice details that are required to truly be secure.
Additionally, this native API is designed to evolve over time – as better hashing algorithms or other best practices are discovered, it can transparently improve its implementation without requiring developers to update code.
Technical details
Along with other best practices, such as constant time string comparisons, unique salt, etc, the PHP native password API uses the currently recommended bcrypt hashing algorithm. This is designed to change over time, so hash strings produced by the native API include all required information to verify the hash.
PHP native password API hash string example, from PHP password hashing FAQ.
Because of this, a hash string created by the native API is always forward compatible with future versions of the verification API.
The PHP native password hashing API is available in the PHP core since version 5.5.0. Additionally, there is a pure PHP compatibility library for versions of PHP since 5.3.7. Due to a security issue in PHP versions 5.3.6 and below, merchants and developers should upgrade at least to 5.3.7.
Magento implementation
In order to improve its password hashing security, I have created a PHP native password hashing API Magento module. The module is compatible with both Commerce Edition and Open Source Edition and includes the native API compatibility library, making it compatible with PHP versions 5.3.7 and above.
This module adds three system configuration options, which can be found in System -> Configuration -> Customers -> Customer Configuration -> Password Options.
- Use PHP Native Password Hashing: this setting fundamentally enables/disables the module. In order to “do no harm”, the module is disabled by default, so it is critical to set this value to Yes in order to upgrade Magento password hashing.
- Password Hashing Cost: advanced users can adjust this value to possibly improve password hashing security at the cost of server CPU load. The default is appropriate for nearly all sites.
- Rehash Legacy Passwords: this setting allows Magento to upgrade password hashes which were created using legacy hashing algorithms. When a customer or admin successfully authenticates using a password with an unsuitable hash, the password will be rehashed using the native API. In order to “do no harm”, this functionality is disabled by default, but it should be set to Yes to begin to retroactively upgrade the site’s password hash database.
Where to get it
This module is liberally licensed and freely available on GitHub: https://github.com/ericthehacker/magento-phpnativepasswords.
It can be easily installed using modman, as described in the installation instructions. As mentioned above, it’s critical to enable the module’s functionality in system configuration after installation.
As always, issues or contributions are welcome!