Eric Wiese

Native PHP Passwords

Background

Magento Community Edition natively uses MD5 to hash customer and admin passwords, a hashing algorithm which is quickly becoming insufficient due to the range of attacks which are being developed for it. While the Enterprise Edition improves the situation by using SHA256, the nature of the shortcoming remains – these hashes were developed to be fast, and are therefore fundamentally unsuitable for password hashing.

Module Overview

To upgrade the Magento hashing implementation, this module seamlessly uses the native PHP password API when Magento creates or verifies a customer or admin password hash. Additionally, the module includes the compatibility library, allowing Magento to use secure password hashes on PHP versions as old as 5.3.7.

Due to integrated unit tests and continuous integration, the module is rigorously tested on several Magento / PHP combinations.

Where to get it

The module can found on github: https://github.com/ericthehacker/magento-phpnativepasswords.

Please refer to the README — I pride myself on comprehensive documentation. As always, I welcome feedback, issues, and pull requests. :)