Where and how are passwords stored in Magento? - magento

It would be a tremendous user experience bless to have a universal login across various apps of my website. For now, I have a storefront of Magento and a community of IPS board. And I'm trying to integrate them into one universal login for my users.
IPS board offers a variety of login methods and one of them is External Database that enables me to integrate it with an external database for user details.
Fantastic! So I can link IPS with Magento's database for unified user credentials.
However, thus far I can only find the email field that is customer_entity.email.
My questions are:
What is the password hash field (table.field) in Magento?
How does Magento generate password hash? MD5? SHA1? What is the salt (I guess it's different by installation but where can I find it)?
As you can see from the attached images, I need the details of where and how Magento stores password to enable IPS to use Magento's database as external database for user login details.
Attached:
Any idea or suggestion on how to get this done would be greatly appreciated!

Customer's password is stored in customer_entity_varchar, it is an eav attribute. You can't use IPB external database functionality. You should use Mage::getModel('customer/customer')->authenticate($logi, $password); to authenticate customers in your code.

You can find the encryption key in /app/etc/local.xml. I haven't looked at the user table but my guess would be the hash field is the encrypted password.
Encryption functionality is in Mage_Core_Model_Encryption so if you can gain access to Magento from your IPS board, you could do something similar to:
$password = 'whatever'; //your logic provides this password
require_once('app/Mage.php'); //path to your Magento app/Mage.php
Mage::app(); //we can now use magento functionality
$decrypted = Mage::getModel('core/encryption')->decrypt($password);
You'll need to work out where best to put this logic in order to integrate it, but it's a start at least.

Related

Show plain password in joomla

I would need a readout of joomlas user password in plain style to give special users the ability to send a mail in a custom module with login details like:
https://mydomain/login?user=testuser
password = testuserpassword
For that reason I need the plain passowrd out of the DB. Is there a way to show/read out password from joomla-db in plain style?
Thx in advanced!
Joomla saves the passwords in the database using a one way encryption mechanism, which means that you cannot know what the password is.
I am sure what you're doing can be done in a different method - if you want to login users automatically once they click on a link then you can have a different authentication plugin that will use a random, unique, one-time-use, and time-sensitive hash that will be associated with a Joomla user account.
You need to create a plugin with function after joomla user save
you need to store password in another table with user id and then you can use with sql query to get password.
This is a bad idea for the following reasons:
email is sent in plain text
email often is stored on several systems along the way to your mailbox
email often is stored on your computer in plain text or other unencrypted format
many copies may exist in many places, even after "deletion"
even encrypted email can be broken in to, given enough computing time
your account's security may have been compromised even before you read your email (changing the password will not help in this case)
However, you definitely can email the user their password upon initial registration by going to Global Configuration > Users and setting Send Password to "Yes" (default setting in Joomla 3.x).
If you are looking for a way to send this password after the registration event, as others have mentioned, you are out of luck. What Joomla! provides is a secure password reset functionality to reset a password to something the user can remember. This will be the best approach for you, as well.
Resources: Sending Passwords in Email, Stop Joomla Sending Passwords in Emails

Magento: How to create an account with email and password only

I'm using Magento 1.7.
I would like to simplify the create account (register new user) to show and require only the email and a password.
The user would only fill in the other info (like name, address, etc) when making a purchase.
The idea behind is that every user would need to give out the email address in order to view the site content.
I'm already using this extension in order to make the the site available only to login users. I need a way to simplify the register process to include only email and password
app/design/frontend/default/{yourtheme}/template/customer/form/register.phtml
and comment out the fields that you don't want.
This is what you want, right?
You can try this extension from Magento Connect - Fast Registration it allow customer registration only with Email & Password

What is the Preferred Method to having multiple websites share checkout sessions

I have implemented many multi site implementations in the past, so I get how to set up the environment. What I haven't done, is set up multiple websites that can share the same cart session.
So if you are on site1.com and add something to your cart or are logged on, when you go to site2.com you are logged in and have the same items in your cart.
From what I read around the forums, well there isn't much about the best way to share session. But I do know that using the configuration to enable SID on the frontend will pass the session id if you transfer between sites. I figured this is all you need to have, but I see where people are saying that only stores can share checkout sessions and that stores can have their own domain.
I am thinking the best way to do this is to setup multiple websites not one website multiple stores and then just make sure when linking to the other site, I use proper magento url methods to build out the link and it will pass over the SID and the users session will be transferred over.
Is this the preferred way to do this? Is there anything I need to know in terms of configuration? Is there any negatives doing it this? Is there a better way?,
Well if you want to have such possibility only for logged customers then i propose to you to use sales_flat_quote table which is represented by Mage::getModel('sales/quote').
With this model you can manage cart and focus only in passing customer identifier which would bring us to security subject... How would you pass customer identifier in secure way as SID isn't very secure.
Plus SEO doesn't like SID in URL from what i've heard.

Using Facebook Connect in cases where a username or other data is required

I'm working on a site that requires the user have a unique username to use all services on the site. They cannot self-change this username for community fairness.
We would like to allow users the simplicity of registering/logging in using their facebook accounts, but this username requirement is obviously a hurdle.
The only idea I have come up with is after the connect process, send the user to a final step page where they enter a username. The only downside to this is that the user has the ability to navigate away before entering a username, meaning we need to add further layers of checks to several site functions to ensure a user has a username, and prompt for one if not.
Any ideas on how to streamline this during the connect process? Any site examples of similar implementations where auxillary info is required to use some or all site features?
Have you looked at Facebook's registration plugin?
The Registration plugin allows users to easily sign up for your
website with their Facebook account. The plugin is a simple iframe
that you can drop into your page. When logged into Facebook, users see
a form that is pre-filled with their Facebook information where
appropriate.
https://developers.facebook.com/docs/plugins/registration/
The plugin also allows you to add custom fields so you could simply add your username field.
There are a load of advanced features including validation, here's an example in the Facebook documentation that includes the username field and checks to see if it's available
https://developers.facebook.com/docs/plugins/registration/advanced/#async

Export joomla user with same password

I am merging a small group on sort of site with my joomla site. I already have members in my joomla site so I somehow want to migrate the users of joomla to groupon database which uses a different encryption scheme for password. Is there a way to do that?
You would have to have the unencrypted passwords to be able to use that. There is no conversion from one encryption scheme to another.

Resources