I'm in the process of moving a Magento store into WooCommerce. The problem is that Magento and WordPress have different password authentication algorithms.
The way Magento stores the password: md5($salt.$password).':'.$salt;
The way WordPress stores the password: md5($password)
Is there a way to export existing Magento customers into WordPress and keep their passwords?
No, there isn't. As you noted, Magento stores its passwords with a salt
password:salt
Wordpress also stores its passwords with a salt — except the salt is an empty string and the same for everyone (i.e. Wordpress doesn't use a salt).
The is a security feature of Magento's hashing, and is meant to stop exactly the sort of thing you're trying to do.
In theory you could generate a rainbow hash table for each of the unique salts in the database, use this to crack your users passwords, and recreate them in Wordpress with a salt-less hashing. However, that's a non-trivial task if you're not familiar with the implementation of hashing algorithms, and would also take a significant amount of time.
The usual approach to this is to create new accounts in the new system, and then automatically email users a password reset link the first time they attempt to login (with additional messaging explaining things)
You could also look into changing Wordpress's login functionality — but that sounds like a different question.
Try this WordPress plugin. It allows to migrate customer passwords to WooCommerce. After finished the migration, just contact them and they will send you an additional plugin that allows your customers log in using their old passwords.
Plugin link: https://wordpress.org/plugins/nextcart-woocommerce-migration/
Tt works like a charm!
Related
I am currently recreating my portfolio, which is powered by a node/express backend. I want to have some pages where I can update/add projects to my portfolio, and I know that I will be the only admin on this site. I want to protect these pages with admin credentials. I think a user table on my database (mysql) is overkill though... is it a good idea to store user/(hashed)pass in process.ENV? I feel like theres a better way.
A database can be anything, text file, sql db, json file, even a variable in your program. A database it's just something which store data.
So, for me, you can without any issues store your credentials in the process.env. The only constraint is that you have to restart your server whenever you wan't to change password and you have to inject yourself the credentials in environement variables.
But if you're already have an sql database in your project, the best way is effectively to use a table User with hashed password. With this method you can change your password without restarting your app (but in your case is this really usefull ?) and if you're adding some users, the system will be already in place (but YAGNI)).
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
Currently I am making a WordPress plugin that will need to store an access token. I understand that it will have to be stored in a database. I've been told I can store it in a Redis database but I am concerned this will be a problem for users that don't use Redis. The alternative solution I've been thinking of is storing it in the WordPress database. Is this a better solution? Any suggestions would be greatly appreciated.
You definitely should write your plugin to store this sort of information in the WordPress mySQL instance. You are correct that most WordPress installations don't have access to Redis. To rephrase that: WordPress can't use Redis (with a very few exceptions).
You don't say much about the tokens you need to store.
If it's one per registered user, you can use the wp_usermeta table. If it's one only for the whole WordPress installation upon which your plugin is installed, you can use the wp_options table. If some of your WordPress posts/pages have their own token, you can use wp_postmeta.
If you need a whole bunch of these tokens, chosen by something besides users or posts, you may need to have your plugin create a new table in the WordPress database.
I've got a couple of questions around storing/retrieving passwords with MySQL / Visual Studio 2010 (VSTO Visual Basic). I hope they are straight forward!
SHA-2 QUESTION
I'm making a table using MySQL (through the PHPMyAdmin Interface) to store just two columns: User ID & Password. After reading through SO and a bunch of other resources it seems that storing the password using SHA-2 encryption and salting is a viable option. Is this correct?
VISUAL STUDIO 2010 QUESTION
I am building a VSTO project in Visual Studio 2010 and will be accessing the data in the table using Visual Basic - how can I encode a user-inputted password with the SHA-2 algorithm? I can't seem to find any 'current' guides on this process. I'd imagine I have to download/install an extension that can process the SHA-2 algorithm into VS2010. The process here is, I have a 'login system' built within Excel but I want to verify the username/password combination by comparing it to the already existing data in the MySQL table.
SALTING QUESTION
Also, Salting is HIGHLY recommended practically everywhere I read so I decided to use a random string like 's#w0s9w%$x" or something like that and obviously store this/use it every time I need to encode + match a password to the database. Is this secure enough? How would you use a different salt word for every user but keep track of this? Would you simple save the username/salt-word combination in another table and extract it later?
EDIT: Added more info!
Don't try to create your own password hashing scheme. Instead use a well known one. Generally there are three options: Bcrypt, Scrypt, and PBKDF2. These are designed by security professionals, and have been around for a long time and have not been broken. Implementations are available for many languages.
For the salting question, you have the basic idea right. Usually the salt is stored with the password in the database. The salt is not considered to be a secret, but it should be unique for every user. Bcrypt hashes already contain the salt in itself, so you don't need to worry about that.
Related answer in security.se: https://security.stackexchange.com/a/6415/20774
A nice article on the subject of password hashing: http://crackstation.net/hashing-security.htm
A client im working for has created a web app that uses a password and user name to sync data to a cloud. He wants a website to sell the web app through and serve as a support forum for this i was thinking of using wordpress with buddypress and the marketpress plugin from WPMUdev. We'd love to be able to sync the user names and passwords so that they're the same on the support forum and when they sync their data to the cloud.
So what we would need to do is store the password and username in another database table that the app can access or find a way for the app to access password and username tables within the wordpress database. I cant really find any pages in the wordpress docs or elsewhere that detail how passwords and usernames are stored on registration. Has anyone tried/done this before? Or does anyone know where i can find some information on the process wordpress goes through to store and retrieve passwords?
Cheers,
Jonny
This can be done by replacing the Wordpress default register screen with a custom one developed in the theme by a template for explample.
You can then use the wp_insert_user/wp_create_user function to register the user and in the same time to insert the details in the other database