Migrating Users to 5.x without passwords

jack68938 · #1 05-27-2015, 04:40 AM

When migrating customers from 4.x to 5.x decrypting the passwords is probably not an option.

So, to force your customers to change their passwords on the new store, you would need the decrypted password from 4.x and the encrypted SHA512 password from 5.x.

Is there a way to force a customer to change their password if there is nothing in the password column?

qualiteam · #2 05-27-2015, 11:25 PM

Quote:

Originally Posted by jack68938

Is there a way to force a customer to change their password if there is nothing in the password column?

How would this work? Would be anyone able to enter any e-mail address and specify the new password? It looks to be insecure.

Instead, you can do it as follows: export all user e-mails and send them an e-mail asking to use the page at [your-domain]/cart.php?target=recover_password for changing their passwords.

Will this work?

jack68938 · #3 05-28-2015, 04:10 AM

It would be very insecure to have nothing in the password field. Is there any way to have them change/recover their passwords on the store site?

Emailing the customers is most likely not an option.

tony_sologubov · #4 06-03-2015, 04:38 AM

Quote:

Originally Posted by jack68938

It would be very insecure to have nothing in the password field. Is there any way to have them change/recover their passwords on the store site?

Emailing the customers is most likely not an option.

Are you sure that the option of emailing and asking them to recover their password here (cart.php?target=recover_password) would not work for you? If so, why not? It is secure as we do not email passwords as plain text.

Please, let me know.

Tony

jack68938 · #5 06-04-2015, 11:52 AM

That would work but the passwords would have to be decrypted from 4.x and encrypted to 5.2. There is the problem.

qualiteam · #6 06-04-2015, 11:59 AM

Uh, sorry, but I don't get why you think that the "recover password" function won't work without decrypting passwords from 4.x and encrypting them to 5.2.

Or is there some other goal that you want to achieve by doing the re-encrypting?

jack68938 · #7 06-04-2015, 12:15 PM

If the data is exported from xCart 4.x and then imported in to xCart 5.x... The passwords in the 4.x install are something like "B-wls09823hf92" so when a user tries to login to the 5.x install, the password reset option never comes up. Just a invalid password alert.

The same happens if the password field is left blank.

qualiteam · #8 06-04-2015, 12:25 PM

Do you mean that "cart.php?target=recover_password" URL does not display the "Recovery password" page? It works OK for me on my local 5.2.5 installation.

jack68938 · #9 06-04-2015, 12:33 PM

Ahhhh. Ok I see. You mean to email the customers that link and they can change their password. I was testing it as if the customer went to the store and tried to login. They get a password invalid.

cflsystems · #10 06-04-2015, 12:47 PM

Customers should see "forgot password" link on the login screen. If this is not present it is something wrong with your installation or it is a bug in cart. If they try to login and login is wrong they can click on the link right there on the spot. No need for emails.

While on the subject the whole "forgot password" logic there is so messed up. The link is called "forgot password", the url is "recover password" and the text is "reset password". Most likely the email prompts you to click on a link and specify new password. So how is this "recover password" I don't know.... since nothing is being recovered but new password is being setup instead.