CS-Cart uses blowfish to hash credit card information. This is great because blowfish is considered very secure. However, CS-Cart 2.x uses unsalted md5 hashing for user passwords. How complicated would it be to change 2.x to use salted md5 or blowfish hashing and update all existing passwords?
Shouldn't be too difficult, at a quick glance these files handle it all in V2.2.5 and V3.0.5 by the look of it:
Why do you want to do this though? Regardless what encryption method is used, they are all just as susceptible once an intruder has access to your database. I'd be more inclined to ensure the cart runs on a current version of PHP to lower your risks due to security vulnerabilities in PHP and ensure the server is as secure as possible.
[quote name='StellarBytes' timestamp='1360875933' post='155335']Regardless what encryption method is used, they are all just as susceptible once an intruder has access to your database.[/quote]
I disagree. SQL injection could be used to dump the contents of the database without ever gaining access to the site files. Most hackers would probably recognize an md5 hash right away, but a blowfish hashed password would basically be useless unless they were able to get the key. With CS-Cart, a unique, random key is used before the password is base64 encoded and stored in the DB.
[quote name='Said everyone, forever and ever']
Where there's a will, there's a way.
How does SQL injection work? Vulnerabilities. In what? Software installed on the server.
cs-cart uses salted md5 for password storage. No base64. If a user was created before about version 2.2.1, I believe the md5 was unsalted.