How does hybris store password hashes

Question

TLDR: What does Hybris do with password hashes before storing them in the database? Because values in the database field are NOT standard password hashes.

---

I had to add the TLDR above, because two users posted answers that are indicative that they didn't read (or understand) the question.

I'm working with Hybris 1905. When I set a user's password in backoffice, I can choose the type of hashing algorithm, including MD5, SHA-256 and a few others. Yet the password value stored in the database is clearly not a simple hash with the algorithm. For example, here are hashes of password test1234, with various hashing algorithms:

• Salted MD5: 1:Gtjd5QVM/t0HLT5PvZCU4g==s9B8Vw/BIkzixwzMzueRR1R6WY9y8Fq9BqFqwGIuY2fGK+KFYSXjNf5G0fbAlb9u
• SHA-256: 1:etvHTnwzMfX/DnbNPhmQBA==8jq6sLLcb/PrIhVB9D+YA61L2mr0dlBYr/84G/K9Kzqe4gpvPF10ja8RaIE94b3A+joszlMutGrHezDs871A/8Yr4oVhJeM1/kbR9sCVv24=
• SHA-512: 1:ZSaQW0C+r/NMVwRRVTCm9w==4qQJdmvU4PE02ipY0Mvkp2sb+bMuMHTiMIVE2m6NESzv2BEFG2O1MIjkzFUES6f7jzoVOEuVmd/E8mqOUoogbL9rpkOPmeMEj5EpB2iued3UAouLvv6PuUCyFJGJdoRsZJzwO2Lj30iokY4RsG0OKXYuGdUjNYU7X1AUggH+eWfGK+KFYSXjNf5G0fbAlb9u
• PBKDF2 (HMAC−SHA1): 1:HIKWvUwTA/pVC9mXzl9qgw==NOsr8pkNUIbEGoiWFa5oArnlEfZNALK0cuczK7dxtxHbDTby+7w3ml1pf8HNmXjalq1A/tSvlb+gwZMRS4Q7ncMhU5w1b6HwV+BGEBG9ecqahzUOK7mNZrLbh9t50M0mRr2AVQJnn7bfvdJ5E3C4UPdoN44v1mAgIuC/9RKTnhj/1BhjHqKf1pozhFfoBz8FdSxBQMmKY91/c4VzkinqiSy5wkaWjOSQQuAN9ZoWmvw=
• BCrypt: 1:GL1kPl93Nx4RjOymIhC1Kw==Xh9ZddGPIxUqpipcEvJ+bRHApEyWVPkXtxPlsYgzokUo4ktC/vh4weA6hrMEebtQC/OttaVzG3+9tUCHxFHCcw==

Clearly this is some sort of encoding that Hybris puts on top of the chosen hashing algorithm - but what is it? Is it encoding (i.e. can be decoded) or hashing?

I need to migrate a large database of users from another platform to this Hybris installation. I have existing usernames and corresponding hashed passwords, which I want to import. These are standard bcrypt hashes, so the same test1234 string would have hash $2y$16$mK9cm.pwOp8ve9oH0VqkT.123HGy/RHYLcd1GB.N5zEqBylV.22wm. Yet I am struggling to understand how to import this hash into Hybris users table.

Answer 1

What does Hybris do with password hashes before storing them in the database? Because values in the database field are NOT standard password hashes.

Its because encodedPassword attribute declared with encrypted="true" modifier. Due to that hybris encrypt value before storing to DB. Read more about Transparent Attribute Encryption (TAE) and how it works in hybris.

 <attribute autocreate="true" qualifier="encodedPassword" type="java.lang.String">
            <persistence type="property" qualifier="Passwd">
                <columntype>
                    <value>HYBRIS.LONG_STRING</value>
                </columntype>
            </persistence>
            <modifiers read="true" write="true" search="true" optional="true" encrypted="true"/>
        </attribute>

---

In your case, you probably need to create your own password encoder and set it to all migrated users, so that your system manages to authenticate migrated users with custom encoder, and then you can redirect the user to reset the password. In the reset password flow, you can update the password encoding with the new OOTB encoder so that new hash will be generated.

other references 1, 2

Answer 2

Hybris always stores passwords in an encoded format. The default strategy in SAP Commerce is PBKDF2. When necessary, you can change it through the default.password.encoding property. You can also implement your own password encoding strategy by implementing the PasswordEncoder interface and adding the custom password encoding strategy bean to core.passwordEncoderFactory bean.

Answer 3

to correct my answer, Hybris always create a hash with the combination of username and password.

--->PasswordEncoderFactoryImpl class is responsible to give correct Encoder class based on the input of encoding. --->factory.getEncoder(encoding).encode(user.getUID(), password)

Hybris supports

you can test with an already existing test user and knowing the password to generate a hash key based algo and match the encoded password, it should give results as same.

---> to validate it just write simple groovy and output of groovy you can compare with a test user used in groovy via back office and compare encoded password. here encoding is pbkdf2