-1

I am currently working on transferring a client's website to a new platform. The old site has a SQL database that stores all of the users. The new site will be built on the Shopify platform. My client is asking me to retrieve all of the existing site's user passwords and import them into the new site. That way the client has a seamless login without having to go through a password reset process. When I look at the old site's database, it looks like all the passwords are stored using MD5 encryption(?). So my over all question is, Is there a way to export all the MD5 passwords decrypted?

The client is very set on importing passwords because he is concerned with user experience. While I do agree that having to go through a password reset is a slight annoyance, I feel that it is safer and follows better practices.

That said, Im trying to find all the solutions possible before I begin to explain to my client why we can't/shouldn't download and import all passwords. I have done some searching but I cant quite seem to find anything quite the same as what im asking. Any answers or references would be greatly appreciated.

Brendin
  • 31
  • 7
  • 1
    You do realize that's hacking someones password? There is a way to decrypt MD5, but you'll need a good rainbow table – Misa Lazovic Feb 29 '16 at 14:41
  • If it's not salted / or you know the salt, you can just copy the hashes and use that in your app. If your app does not use hashed passwords, please implement that, ASAP. – Koshinae Feb 29 '16 at 16:32
  • And that is the next thing I'm worried about. It does sounds like it is technically hacking passwords. Overall I feel like its the least productive way to go about it. As far as the Shopify using hashes or not, im not entirely sure. But I have full confidence that they are using a secure method. – Brendin Feb 29 '16 at 17:41

2 Answers2

0

There is no complete way to un-hash MD5 hashes.

Is it possible to decrypt md5 hashes?

Also your client's users would not like there passwords to be exposed to anyone.

Community
  • 1
  • 1
rath3r
  • 323
  • 1
  • 6
  • 19
  • I think your final statement is the over all end game of this conversation. I feel like anyway of exporting the data is just a security issue waiting to happen. That said I would rather get all my facts and options before having to consult the client on our next move. Thanks for the input! – Brendin Feb 29 '16 at 17:46
0

You can't reliably "unhash" MD5 hashes, because more different words can match the same hash.

Your client's request still makes sense.

What you want to do is figure out how to use some kind of external authentication for Shopify in such a way to migrate users from your current site to shopify when they login, since that is the moment they provide you the password.

This may mean you need to provide the old login page for some time and insert data into Shopify or to somehow force Shopify to use your backend for authentication. Depends on technical possibilities.

When an acceptable percentage of customers are migrated, you can mark the rest of users as having password expired, so they can still reset their password via email.

This may be of some help: https://ecommerce.shopify.com/c/shopify-apis-and-technology/t/using-shopify-customer-login-for-an-external-app-130458

hruske
  • 2,205
  • 19
  • 27
  • Great idea, this will defiantly give me something to start from. Ill start digging around to see what what technical possibilities Shopify will allow. Thanks! – Brendin Feb 29 '16 at 17:44
  • Bascially setting up an oAuth (open Authentication) service, no? – Pitt Jul 25 '16 at 14:29