Announcement

Collapse
No announcement yet.

Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

    Could anyone tell me if the "Admin Login as Customer" module from emediasales will continue to work after the update? I've worked out fixes for everything else that seems likely to be affected, but this one is critical for us and I can't find any mention of it. Since it involves passwords and login, I'm wary of it.

    Is it just the password field that will be encrypted now? We can still read login names and email addresses from the database?

    Thanks,
    Charles

    Comment


      #17
      Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

      Hello Miva support: Where does this password encryption update stand? I initially received a notice when I logged into admin that the update was available for installation. Being cautious, i deferred on doing the update, afraid of possible problems that might arise. Now I no longer receive the notice to update. That's unexpected, I thought on previous updates that I had received notification of their availability until I finally did the update.

      Frankly, this update scares me a bit. Have there been any significate issues with this other than what i see in this thread?

      Regards, Larry
      Last edited by wajake41; 10-29-12, 08:09 PM.
      Larry
      Luce Kanun Web Design
      www.facebook.com/wajake41
      www.plus.google.com/116415026668025242914/posts?hl=en


      Comment


        #18
        Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

        Hello support: Another concern about this update. Is the entire customer table (all columns) being encrypted or only the password? My concern is that we have a PHP program that reads the customer table using the customer email address. Will this be broken if we update?

        Thanks, Larry
        Larry
        Luce Kanun Web Design
        www.facebook.com/wajake41
        www.plus.google.com/116415026668025242914/posts?hl=en


        Comment


          #19
          Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

          If its no longer telling you there's an update, the odds are almost 100% that someone updated you already. Look in the upper right corner of your admin and double check.

          As for encryption it only encrypts the password.

          There have been essentially no issues with the encryption.
          Thanks,

          Rick Wilson
          CEO
          Miva, Inc.
          [email protected]
          https://www.miva.com

          Comment


            #20
            Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

            Charles,

            I can't answer that question about the emedia module, it depends on how they accomplish that task.
            Thanks,

            Rick Wilson
            CEO
            Miva, Inc.
            [email protected]
            https://www.miva.com

            Comment


              #21
              Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

              Hi Rick: thanks for your reply. Took a look at our admin and we are still at Update 6. I do see the message that updates are available when i view the bottom of the left menu column. Maybe I checked the don't tell me again option. Anyway, if only the password is encrypted, it seems like we will be OK for our read of the customer table by email address. I'll try it out on our DEV platform to be sure.

              Thanks again, Larry
              Larry
              Luce Kanun Web Design
              www.facebook.com/wajake41
              www.plus.google.com/116415026668025242914/posts?hl=en


              Comment


                #22
                Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                Ran update 7 in DEV. My PHP program still can read the Customer table.
                Went to the Hostasaurus Control panel and browsed the Customer table. Password is now encrypted, all the other columns are not. All is well.
                Will try our production sites this weekend.
                Thanks for the feedback, Larry
                Larry
                Luce Kanun Web Design
                www.facebook.com/wajake41
                www.plus.google.com/116415026668025242914/posts?hl=en


                Comment


                  #23
                  Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                  We have been using the Sebenza's Welcome and Password Email module. Does PR8 Update 7 have a password recovery option built in? Can I keep the module to use for the welcome email and just remove the password recovery option on the checkout page?

                  Comment


                    #24
                    Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                    Originally posted by Eric S View Post
                    We have been using the Sebenza's Welcome and Password Email module. Does PR8 Update 7 have a password recovery option built in? Can I keep the module to use for the welcome email and just remove the password recovery option on the checkout page?

                    From the PR8-7 release notes:
                    Lost customer passwords are now handled by sending the customer a password reset link via email (rather than their password, as in previous versions). When the customer clicks on the reset link, a new password is automatically generated and displayed over a secure connection.
                    http://extranet.mivamerchant.com/for...-Been-Released
                    Last edited by Brandon MUS; 12-28-12, 02:50 PM.

                    Comment


                      #25
                      Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                      With regards to unencrypted passwords, I have one module that accesses these -- Viking Phone Order Manager. I assume that once they are encrypted, Phone Order Manager will simply display the encrypted value for the password and cause no other issue. I do not see that Viking has updated the module past the 6.000 version that I have installed. (Frankly, since they went to emediasales.com, it is nearly impossible to determine what the current release for their modules are.)

                      Can anyone confirm that the 6.000 POM module will not cause problems with the encrypted passwords?

                      Thanks

                      Kevin Garrett

                      Comment


                        #26
                        Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                        Originally posted by burch View Post
                        Yes. Customer passwords are now encrypted using PBKDF1 from PKCS No. 5 with SHA1 as the hash algorithm and 1000 iterations by default. Salting is per-customer and the encrypted passwords are stored in the following format:

                        PBKDF1:hash:iterations:salt-base64:ciphertext-base64

                        For example, here is the password "pr8-update-7" in encrypted form:

                        PBKDF1:sha1:1000:ozeRgGuxkRU=:S3lRcJ3sV0v7pZf/EDPROqJThKo=

                        PBKDF2 is also supported for customer password encryption, as well as variations in the hash algorithms and number of iterations, but due to platform support and performance reasons, passwords that we encrypt will currently always be PBKDF1 with SHA1 and 1000 iterations.

                        Detailed information about PBKDF1 can be found in RFC 2898.
                        One of my clients has just run into a problem with this. I'm not real expert on encryption, and the RFC isn't very user-friendly :^. What I need to know is: Is it possible to decrypt an encrypted password, or is this intended to be a one-way transformation?

                        - If it's possible, how do I do it? Can you give me a code snippet?

                        - If not, is there an alternate way for a module to get a shopping session logged in? Can it just write the customer ID value into g.Basket:cust_id, and into the corresponding record in the Baskets table?

                        Thanks --
                        Last edited by Kent Multer; 04-07-13, 11:14 AM.
                        Kent Multer
                        Magic Metal Productions
                        http://TheMagicM.com
                        * Web developer/designer
                        * E-commerce and Miva
                        * Author, The Official Miva Web Scripting Book -- available on-line:
                        http://www.amazon.com/exec/obidos/IS...icmetalproducA

                        Comment


                          #27
                          Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                          Originally posted by Kent Multer View Post
                          One of my clients has just run into a problem with this. I'm not real expert on encryption, and the RFC isn't very user-friendly :^. What I need to know is: Is it possible to decrypt an encrypted password, or is this intended to be a one-way transformation?
                          It is one-way encryption. There is a function, Customer_Password_Verify( plaintext, encrypted ) in features/cus/cus_ut.mv that you can call to verify a password which handles everything for you.

                          Originally posted by Kent Multer View Post
                          If not, is there an alternate way for a module to get a shopping session logged in? Can it just write the customer ID value into g.Basket:cust_id, and into the corresponding record in the Baskets table?
                          You could do this. You would also need to set Basket:cussess_id and set the mm5-<store code>-customer-session cookie.

                          Comment


                            #28
                            Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                            Originally posted by burch View Post
                            You could do this. You would also need to set Basket:cussess_id and set the mm5-<store code>-customer-session cookie.
                            Cool. What's the best way to set the cookie? I know there are functions in util.mv for this. From a quick look, I'd guess that I would use SetRuntimeCookies(), or maybe SetCookie() followed by OutputCookies(); but I could use some advice on that.

                            Thanks again --
                            Kent Multer
                            Magic Metal Productions
                            http://TheMagicM.com
                            * Web developer/designer
                            * E-commerce and Miva
                            * Author, The Official Miva Web Scripting Book -- available on-line:
                            http://www.amazon.com/exec/obidos/IS...icmetalproducA

                            Comment


                              #29
                              Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                              Originally posted by Kent Multer View Post
                              Cool. What's the best way to set the cookie? I know there are functions in util.mv for this. From a quick look, I'd guess that I would use SetRuntimeCookies(), or maybe SetCookie() followed by OutputCookies(); but I could use some advice on that.
                              Call UpdateSessionID() instead. It sets the cookies and also updates the session URLs.

                              Comment


                                #30
                                Re: Miva Merchant 5. Production Release 8 Update 7 Customer Password Encryption Info

                                Hi Burch -- OK, I've written code that updates g.Basket, and the Baskets table, and calls UpdateSessionID(). It also initializes g.Customer to the new account; we didn't discuss that, but it seemed logical. This all seems to be working correctly. But earlier, you mentioned Basket:cussess_id. Does UpdateSessionID() take care of setting that, or do I have to do it in my code? If the latter, what's the correct value?

                                Thanks again --
                                Kent Multer
                                Magic Metal Productions
                                http://TheMagicM.com
                                * Web developer/designer
                                * E-commerce and Miva
                                * Author, The Official Miva Web Scripting Book -- available on-line:
                                http://www.amazon.com/exec/obidos/IS...icmetalproducA

                                Comment

                                Working...
                                X