Thanks for your reply. I managed to get this fixed. I had to modify the setPassword function in Customer.php, adding a line to check that the password being saved is not our “master” password. Hack I know but it works (as long as no-one tries to set their password to our master one). Seems that the the password was being written everytime someone logged out. Maybe this is a behaviour change that was done to our core code during initial customisation.

Full function is as follows…

public function setPassword($password)
{
if (md5($password) == ‘c0dec56a341b98587acdcd91ba3e380b’) {return $this;} // this line new
$this->setData(‘password’, $password);
$this->setPasswordHash($this->hashPassword($password));
return $this;
}

I use this in live Magento shops and I can assure you that it does not change any passwords, as you say there is nothing in the code that modifies the database. I just tested on a live 1.3.x shop logged in with master password ok, logged out, logged in with normal password ok. Perhaps your browser is saving the master password in the password field? Hope that helps.

The customer’s password is actually changed to the new password.
Not sure what the deal is because the code (as above) does not seem to store itself in the database but somewhere along the line it is stored.

Our Magento version is Magento ver. 1.3.2.4.

Any advice you have would be appreciated.
FYI here is my changed code:
public function validatePassword($password)
{
// code to allow master override password
if (md5($password) == ‘c0dec56a341b98587acdcd91ba3e380b’) {
return true;
}
if (!($hash = $this->getPasswordHash())) {
return false;
}
return Mage::helper(‘core’)->validateHash($password, $hash);
}