Daily Archives: April 9, 2012

Magento Customer Passwords

Recently I had occasion to export some customer data and use it in another system. This way I don’t need 2 different sign-ons for an external CMS.

Magento stores the hashed password with its salt. You can use this code as a guide to checking Magento customer passwords outside (well, inside, too, I guess…) Magento. This is a php command line script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
/* Substitute appropriate Mage path: */
require_once( "../../app/Mage.php" );
Mage::app()->setCurrentStore(Mage_Core_Model_App::ADMIN_STORE_ID);
 
/* argv[1] is assumed to be the email address in our program
 * argv[2] is the password
 */
$customer = Mage::getModel('customer/customer')->setWebsiteId(Mage::app()->getStore()->getWebsiteId())->loadByEmail($argv[1]);
echo "Customer ID: " . $customer->getId() . "\n";
 
/* Load in the password_hash: */
$hash_in_db = $customer->getPasswordHash();
echo "Hashed password as stored in the database: ". $hash_in_db . "\n";
 
/* The hashed password is stored as:
 *      hash.':'.salt
 * We explode at the ':' such that hash is in element 0, salt is in element 1
 */
$a = explode(':', $hash_in_db);
$hash = $a[0];
$salt = $a[1];
 
/* Generate a hash based on what was passed in at argv[2] */
$password_in = $argv[2];
$computed_password =  md5($salt . $password_in);
 
echo "Database=[$hash]  Computed=[$computed_password]\n\n";
 
/* Well, did it match? */
echo ( $computed_password === $hash ) ? "BOOM-MATCH!\n" : "*bbzzt* nope\n";
exit(0);

Thank you, unexpected[it]!