Skip to Content
Nov 21, 2014 at 03:36 PM

User password hashing


Hi all,

I was wondering how Hybris creates the hash (encoded password in hMc) for an users password. I know it uses MD5, and that it takes the plain password.

But clearly it also uses some extra data as well. I tried to encode the plain text with MD5 through code, but I get a different result when I encode the same plain text through the hMc.

For example: I have a Customer, and in the hMc I change his password using the MD5 encoding to "azertyuiop1".

The resulting encoded password is "c2179ee5c6c79359c3a96c5eb757f154" Then, I try to hash the "azertyuiop1" through code with

 final PasswordEncoder encoder = new MD5PasswordEncoder();
 //getNewPassword = "azertyuiop1"
 userService.setPassword(userService.getCurrentUser.getUid(), encoder.encode(updatePasswordForm.getNewPassword()));

now, the resulting encoded password is "285339edfa9548d3edee2239fb63fa8d".

So clearly, Hybris uses something else to append to the plain text.

Does anyone have any idea which it could be? I tried Uid, PK and userModel.toString (userModel ofcourse being the user I currently am using) but those all result in different hashcodes (but not the same as the one that Hybris results through hMc).

Thanks in advance!