Magento 1 use MD5 hash to encrypt the password and Magento 2 use SHA-256.
In Magento 1, they use Mage_Core_Model_Encryption class with following functions.
1 2 3 4 5 6 7 8 | public function getHash($password, $salt = false) { if (is_integer($salt)) { $salt = $this->_helper->getRandomString($salt); } return $salt === false ? $this->hash($password) : $this->hash($salt . $password) . ':' . $salt; } |
1 2 3 4 5 | public function hash($data) { return md5($data); } |
Magento 1 generate hash by md5(salt + password) and save in database with 1 colon like $password-hash : $salt.
Magento 2 has changed logic and written in vendor/magento/framework/Encryption/Encryptor.php
Magento 2 generate hash like hash(‘sha256’, $salt . $password); and save with 2 colons in database like
$password-hash : $salt: $version
You have to override Encryptor class via di.xml with some private functions in your module.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | /** * Class Encryptor provides basic logic for hashing strings and encrypting/decrypting misc data */ class Encryptor extends \Magento\Framework\Encryption\Encryptor { /** * @var array map of hash versions */ private $hashVersionMap = [ self::HASH_VERSION_MD5 => 'md5', self::HASH_VERSION_SHA256 => 'sha256' ]; /** * @var array map of password hash */ private $passwordHashMap = [ self::PASSWORD_HASH => '', self::PASSWORD_SALT => '', self::PASSWORD_VERSION => self::HASH_VERSION_LATEST ]; /** * @param string $hash * @return array */ private function explodePasswordHash($hash) { $explodedPassword = explode(self::DELIMITER, $hash, 3); foreach ($this->passwordHashMap as $key => $defaultValue) { $this->passwordHashMap[$key] = (isset($explodedPassword[$key])) ? $explodedPassword[$key] : $defaultValue; } return $this->passwordHashMap; } /** * @return string */ private function getPasswordHash() { return (string)$this->passwordHashMap[self::PASSWORD_HASH]; } /** * @return string */ private function getPasswordSalt() { return (string)$this->passwordHashMap[self::PASSWORD_SALT]; } /** * @return array */ private function getPasswordVersion() { return array_map('intval', explode(self::DELIMITER, $this->passwordHashMap[self::PASSWORD_VERSION])); } /** * @inheritdoc */ public function isValidHash($password, $hash) { $this->explodePasswordHash($hash); $hashs = explode(":", $hash); if(count($hashs) == 2){ $password = md5($this->getPasswordSalt() . $password); } else{ foreach ($this->getPasswordVersion() as $hashVersion) { $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion); } } //print $password . " ". $this->getPasswordHash(); die; return Security::compareStrings( $password, $this->getPasswordHash() ); } } |
Now Magento 1 user will able to login their old password. New customers password logic will remain same.