Zendcart - Combine an existing user database with a zendcart database

Inside class.zcPassword.php (/ includes / classes) you will find it:

  /** * Determine the password type * * Legacy passwords were hash:salt with a salt of length 2 * php < 5.3.7 updated passwords are hash:salt with salt of length > 2 * php >= 5.3.7 passwords are BMCF format 

He describes the previous comparison that he does before deciding what to do with passwords using the ircmaxell/password-compat , here:

  function detectPasswordType($encryptedPassword) { $type = 'unknown'; $tmp = explode(':', $encryptedPassword); // try to break the hash in an array of 2 elements at :, first being the hash, second a suffix if (count($tmp) == 2) { // if it breaks... if (strlen($tmp [1]) > 2) { //...then check if 2nd has a length > 2... $type = 'compatSha256'; //...if it does, it SHA2 } elseif (strlen($tmp [1]) == 2) {//...if not, make sure it == 2... $type = 'oldMd5';// ...just to confirm it MD5 } } return $type; // and return the string to be treated ahead } 

EDIT : //commented the code.

As you can see :c1 is just the salt suffix (it explodes when it finds it) it reads to determine which algorithm it should execute in order to maintain backward compatibility (in your case MD5) according to the PHP version, therefore hashes are the same.

I would advise you to simply remove the suffix at the end of all your passwords at a point : or work on this function and its dependencies to ignore this check.