How are zencart passwords encrypted in Sql Server?

Question

I have set up a zencart on my web server and the passwords for admin functions are encrypted (or obfuscated in some way) in the sql database associated with zencart - can anyone tell me the extent of this encryption? I want to know if someone who managed to get hold of the database would be able to get access to the data in the password section of the database or whether I would be protected against that specific part of the data becoming public by its encryption.

If it is encrypted, how is it encrypted and how easily can they decrypt it?

It is a default zen cart set up.

Kind regards

Answer 1

Passwords in ZenCart are stored as MD5 hash created for a salt + password. The format stored in the SQL database is MD5Hash:Salt.

Salting the password before creating the hash prevents users with access to the user table from reverse engeneering the password with help from rainbow tables. So, you are secure, but it could be better if a SHA-2 algorithm was used.

With PHP you can create data for storage with this code:

$hashedPassword = md5($salt.$password).':'.$salt;

Answer 2

Newer versions of ZenCart use the SHA256 hashing algorithm with a random salt (even though for some unknown reason the variable is called "password"):

function zen_encrypt_password_new($plain)
{
  $password = '';
  for($i = 0; $i < 40; $i ++) {
    $password .= zen_rand();
  }
  $salt = hash('sha256', $password);
  $password = hash('sha256', $salt . $plain) . ':' . $salt;
  return $password;
}

(from version 1.5.4 - includes/functions/password_funcs.php)