Magento Master Password 5 Minute Fix

created February 14, 2011, last updated March 16, 2011.

.
closeThis post was last updated 6 years 7 months 6 days ago, some of the information contained here may no longer be actual and any referenced software versions may have been updated!

It can be annoying when you want to troubleshoot a Magento eCommerce site customer login problem, and you must first reset the customers account password to login as the customer and troubleshoot the problem yourself.  It can also be useful to quickly login as the customer to examine their shopping cart or place an order on their behalf. To do this we need a so called “master password” to override the customer password in the Magento database and allow us to login to the Magento frontend as the customer.

This is a 5 minute quick fix! All we need is an MD5 hash and one or two  lines of code to configure an encrypted Magento store frontend master password to allow you to login to the frontend of your Magento eCommerce store with any registered users account.

FREE EXTENSION

A free extension to implement this solution is now available here.

DO IT YOURSELF

First we need a master password, I always recommend using a Strong Password Generator to generate a “good” hard to guess / remember password with at least 8 characters, for example lets use : Qbc55H8m
We don’t want this password to appear in plain text in our PHP code so lets make a one way MD5 hash of the password. Using the MD5 generator below I can create the MD5 hash by entering my strong password string – Qbc55H8m

Enter a string:
 


Calculated MD5 hash: 

Using the password “Qbc55H8m” I generated the following MD5 hash:

acb1bb6a30a54a54f4558f3d3984bda6

Create your MD5 hash now with your own password.

Now we are all set with our encrypted Magento universal master password, next we need to add two lines of code to the customer password authentication function within the core Magento code. We don’t want to edit the actual core files as these will be overwritten during an upgrade, so we will create a local copy of the file and make our modifications there.

In your /app/code/local folder create the following folder structure:

Mage/Customer/Model (note folder names are case sensitive.)

Now copy the Magento core php file customer.php from app/code/core/Mage/Customer/Model to app/code/local/Mage/Customer/Model

Open your app/code/local/Mage/Customer/Model local copy of customer.php in a text editor and around about line 300 (1.3.x) or 340 (1.4.x) you will see the function validatePassword($password) this is the function that validates the customer login password with the encrypted password in the Magento database. Add the following two lines of code to this function, remember to include the MD5 password you generated above :

if (md5($password) == 'YOUR GENERATED MD5 PASSWORD') {
return true;
}

So that your function now looks something like this

    public function validatePassword($password)
    {
        // Master Password Check - PAJ 14.02.2011
		if (md5($password) == 'YOUR GENERATED MD5 PASSWORD') {
                return true;
        }

        if (!($hash = $this->getPasswordHash())) {
            return false;
        }
        return Mage::helper('core')->validateHash($password, $hash);
    }

Save the file and refresh your Magento cache. Thats it, select a customer account and confirm that you can login with your master password. Remember to keep your master password safe!

Tested with Magento 1.3.3.0, 1.4.2.0, 1.5.0.0

Googled resources used to develop this solution :
http://www.webtoolkit.info/javascript-md5.html
http://strongpasswordgenerator.com/

Comments

  1. Paul says:

    Hi,
    I have implemented this as described and it worked BUT (and it’s a biggie) once I have logged in with the master password I can no longer log in in with the original password.

    The customer’s password is actually changed to the new password.
    Not sure what the deal is because the code (as above) does not seem to store itself in the database but somewhere along the line it is stored.

    Our Magento version is Magento ver. 1.3.2.4.

    Any advice you have would be appreciated.
    FYI here is my changed code:
    public function validatePassword($password)
    {
    // code to allow master override password
    if (md5($password) == ‘c0dec56a341b98587acdcd91ba3e380b’) {
    return true;
    }
    if (!($hash = $this->getPasswordHash())) {
    return false;
    }
    return Mage::helper(‘core’)->validateHash($password, $hash);
    }

    • PAJ says:

      I use this in live Magento shops and I can assure you that it does not change any passwords, as you say there is nothing in the code that modifies the database. I just tested on a live 1.3.x shop logged in with master password ok, logged out, logged in with normal password ok. Perhaps your browser is saving the master password in the password field? Hope that helps.

      • Paul McGowan says:

        Thanks for your reply. I managed to get this fixed. I had to modify the setPassword function in Customer.php, adding a line to check that the password being saved is not our “master” password. Hack I know but it works (as long as no-one tries to set their password to our master one). Seems that the the password was being written everytime someone logged out. Maybe this is a behaviour change that was done to our core code during initial customisation.

        Full function is as follows…

        public function setPassword($password)
        {
        if (md5($password) == ‘c0dec56a341b98587acdcd91ba3e380b’) {return $this;} // this line new
        $this->setData(‘password’, $password);
        $this->setPasswordHash($this->hashPassword($password));
        return $this;
        }