Migrating your Magento 1 users

So you're still on a Magento 1 installation for your e-commerce website. That's okay, you aren't the only ones. According to SimilarTech, Magento 1 has over 60,000 installations out there. That's despite it hitting end-of-life in June 2020.

One of the biggest things you are likely to wrestle with is whether you bring across your user's passwords, or force them to change them.

Ideally you should get users to reset their passwords. This will help ensure all weak passwords are changed in line with whatever password requirements are part of your new platform.

However, if the decision is out of your hands and there's a desire to migrate passwords from Magento 1 to a new platform, how do you do it?

The passwords in Magento 1 are salted and hashed, so you can't retrieve the passwords and run them through the hash algorithm of the new system. But it is possible.

Magento 1 hashing

The good news is Magento does salt and hash passwords. The passwords are always stored in the format hash:salt. The salt is added to the user submitted password, and that combined string is hashed to get the overall password hash.

Depending on the specific version of Magento 1, and also when the customer last logged in, the hash used for the password storage may vary. They are hashed using either:

• MD5, or
• SHA-256

Which one of these is used is determined by the overall length of the hash:salt string.

Yes, some of the passwords in your database may only be hashed using MD5. Sure, they are salted, but the salt is provided with the password, so anyone who gets access to the password record in Magento will have everything they need to brute force it. This is the main reason to force users to reset their passwords.

How do you keep the passwords?

No matter which platform you migrate to, this is going to require some custom code in the login area. That should full you with dread, and give a compelling argument to not carry the passwords over with the users.

If you do need to carry over the passwords from the legacy system you should mark the accounts as having a legacy password so you can update them and move away from the fast-hash algorithms Magento 1 uses.

The logic which needs to be implemented as part of the login flow is as follows:

1. Check if the user has a legacy password (using whatever identifier you have decided upon to denote that)
2. If the user does not have a legacy password, use the system default login mechanism
3. If the user has a legacy password:
   1. extract the salt from the stored password
   2. create a password string from the user provided password and the string
   3. determine the type of hash used for the stored password
   4. generate the hash to compare against the stored one, depending on the algorithm
   5. If the hash matches, continue to the next part. Otherwise, return the login failure to the users
4. Once the legacy password has been validated by the legacy hash algorithm:
   1. Generate a new salt for the user password
   2. generate a hash using the new system hash algorithm and the newly generated salt for the user supplied password
   3. store the new hash and salt in the new system database
   4. remove the "legacy password" flag from the user account

This method will allow the user to log in with their existing password, and then re-hash it with an up-to-date hashing algorithm which is part of the authentication mechanism of the new system. Over time the number of legacy passwords in the system will decrease without the need for every customer to reset their password at the launch of the new site.

Planning for the future

If you do implement this method of user migration (and please don't if you can avoid it), do everything you can to set a lifetime limit on this code. If someone hasn't logged in to your new platform after 3-6 months, there's a high probability they won't. They can then either be removed based on whatever data retention policy you have, or force them to reset their password when they next log in.