Announcement

Collapse
No announcement yet.

Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

    During the upgrade process to PR8 Update 7 you were presented with a warning:

    In order to enhance security, PR8 Update 7 changes the way customer passwords are managed. Starting with this update, shopperpasswords are stored using the same encryption technique used for administrative passwords. During the update, the passwords for
    all customer accounts will be encrypted. This process may take some time, depending on the number of customer accounts present.


    Any external integrations that rely on customer passwords being stored unencrypted will no longer be able to access the decrypted
    customer passwords. Most stores will not be affected, but if you are unsure, you should delay upgrading to PR8 Update 7 until you
    have verified that you have no processes or integrations that rely on unencrypted customer passwords.
    We chose to highlight this warning for every customer who is upgrading regardless of their store configuration since it's not plausible for us to know if you have a custom integration either through Miva Merchant's API's or by directly connecting to the database that accesses and uses Customer Account information.

    While we believe only a very small portion of our customers would be accessing the information in this way, we felt it was prudent to highlight it for everyone as a precaution.

    If you do have a custom integration that relies on accessing unencrypted Customer Account information (this is the Account information your customers use to log in to their store and display their address information and Order History), you should not complete this upgrade until you can alter your integration to work with PR8 Update 7.

    If you do not have any external applications or integrations which require access to unencrypted customer account information, then it's safe to click the Continue Installation button and upgrade your store to PR8 Update 7.

    If you have any questions please reply to this Forum post and we'll be monitoring it specifically for PR8 Update 7 Upgrade questions.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    #2
    Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

    Is there any way to verify the password hash outside of using MivaScript or the Miva Merchant API? I ask because I currently am integrated using PHP. If I know the algorithm used and where the salt is (if it is per customer, per store, or some combination), I can update my integration and continue business as usual.

    Comment


      #3
      Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

      Originally posted by Brandon MUS View Post
      Is there any way to verify the password hash outside of using MivaScript or the Miva Merchant API? I ask because I currently am integrated using PHP. If I know the algorithm used and where the salt is (if it is per customer, per store, or some combination), I can update my integration and continue business as usual.
      Yes. Customer passwords are now encrypted using PBKDF1 from PKCS No. 5 with SHA1 as the hash algorithm and 1000 iterations by default. Salting is per-customer and the encrypted passwords are stored in the following format:

      PBKDF1:hash:iterations:salt-base64:ciphertext-base64

      For example, here is the password "pr8-update-7" in encrypted form:

      PBKDF1:sha1:1000:ozeRgGuxkRU=:S3lRcJ3sV0v7pZf/EDPROqJThKo=

      PBKDF2 is also supported for customer password encryption, as well as variations in the hash algorithms and number of iterations, but due to platform support and performance reasons, passwords that we encrypt will currently always be PBKDF1 with SHA1 and 1000 iterations.

      Detailed information about PBKDF1 can be found in RFC 2898.
      Last edited by burch; 10-17-12, 08:02 AM.

      Comment


        #4
        Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

        Awesome, awesome, awesome. Thank you Jon.

        Comment


          #5
          Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

          Rick, I have several clients that have the password encryption module installed. Is it as simple as uninstalling that, in order to run this update, or is more prep needed?
          Holly Nelson, CEO of 2C Development Group
          www.2cdevgroup.com
          @2cdevelopment

          Comment


            #6
            Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

            Deleted due to wrong info.
            Last edited by Rick Wilson; 10-22-12, 12:36 PM.
            Thanks,

            Rick Wilson
            CEO
            Miva, Inc.
            [email protected]
            https://www.miva.com

            Comment


              #7
              Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

              Oops, I'm wrong. DON'T UNINSTALL THE MODULE.

              The software will handle it for you during the upgrade.
              Thanks,

              Rick Wilson
              CEO
              Miva, Inc.
              [email protected]
              https://www.miva.com

              Comment


                #8
                Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                Thanks Rick!!
                Holly Nelson, CEO of 2C Development Group
                www.2cdevgroup.com
                @2cdevelopment

                Comment


                  #9
                  Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                  Originally posted by Rick Wilson View Post
                  Oops, I'm wrong. DON'T UNINSTALL THE MODULE.

                  The software will handle it for you during the upgrade.
                  Rick,

                  What module are you saying shouldn't be uninstalled? I had the email login module installed from Emporium Plus and received the errors message that it needed to be removed before proceeding with the update. After setting LOGN and ORDR pages back to their original state and deleting the module from MM5.5 I was then able to proceed with the update. No further errors were noted. However, now that the update is installed, any customers who were created prior to the update cannot get a valid link for retrieving or changing their password. I started trying it with my password and since I wasn't getting anywhere, I contacted Jim in Customer Support. He created a new user and it worked fine. I believe he then tried to access the password again later and began getting the error information I have been receiving. So far haven't heard anything since I submitted my username to Jim. This is going to cause big problems for customers if we can't figure out why the link is saying it is invalid or expired when it is being sent immediately from my website to the customer. Are any other websites reporting this issue?



                  Kathleen Steimle-Hermes
                  , owner
                  Miss Kate's Creations
                  [email protected]
                  www.misskatescreations.com


                  Handcrafted fabric covered photo albums, frames, brag books and MORE


                  Comment


                    #10
                    Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                    I was referring to our old module that was available free from Miva Central (not any third party module).

                    I'll ask Jim about your issue.
                    Thanks,

                    Rick Wilson
                    CEO
                    Miva, Inc.
                    [email protected]
                    https://www.miva.com

                    Comment


                      #11
                      Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                      Uh oh, what happens if I DID uninstall it and then ran the update?
                      Holly Nelson, CEO of 2C Development Group
                      www.2cdevgroup.com
                      @2cdevelopment

                      Comment


                        #12
                        Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                        I'm not sure, you should open a ticket and have them double check with them.
                        Thanks,

                        Rick Wilson
                        CEO
                        Miva, Inc.
                        [email protected]
                        https://www.miva.com

                        Comment


                          #13
                          Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                          Thanks, Rick. Putting in a ticket now.
                          Holly Nelson, CEO of 2C Development Group
                          www.2cdevgroup.com
                          @2cdevelopment

                          Comment


                            #14
                            Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                            Update from Support: "All you did was manually remove a module that the update would have simply removed for you, no harm done."
                            Holly Nelson, CEO of 2C Development Group
                            www.2cdevgroup.com
                            @2cdevelopment

                            Comment


                              #15
                              Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                              Originally posted by Miss Kate View Post
                              I believe he then tried to access the password again later and began getting the error information I have been receiving.
                              The link is good only once. Once you click on it you cannot click on it again.
                              Jim McCormick
                              Miva Merchant Support
                              866-284-9812

                              https://www.miva.com

                              Comment

                              Working...
                              X