Upgraded from nopCommerce 3.10–4.20 to 4.30+? Your legacy customers can no longer log in.

nopCommerce switched to SHA512 as the default password hash starting with 4.30. Stores upgraded from older releases still carry SHA1 hashes in their customer table — and here is the catch: nopCommerce's login validator hashes the entered password using the store's current hash format, without first trying the format the stored hash was originally created with. The result on an upgraded 4.30+ store is that a customer with a valid SHA1 hash typing the correct password is told "wrong password".

Password Migration resolves this without disturbing your customers. The plugin slips transparently into the login flow: when a customer attempts to sign in, it first verifies the entered password against the legacy SHA1 hash, then immediately rewrites the password row with a fresh salt and SHA512 hash, and lets the standard validator complete the login. The customer sees nothing different — but in your admin dashboard, the migration counter advances in real time.

Why you need this plugin

• Without it, your legacy customers cannot sign in. The 4.30+ validator always hashes the entered password with the store's current hash format (SHA512) and compares against the stored value; it never tries the older format. That single line of core logic is the reason your "I forgot my password" tickets spiked after the upgrade.
• "Please reset your password" emails are a workaround, not a fix. A significant share of customers never open the email, let it fall into spam, or simply do not reset. The drop in conversion and the spike in support load become permanent.
• SHA1 is no longer recommended for password storage. OWASP and NIST have classified SHA1 as deprecated for years due to its vulnerability to practical collision attacks. A mixed-hash customer table will not pass a security audit, and is incompatible with a serious PCI compliance posture.
• nopCommerce has no official migration tool. The XML documentation on CustomerSettings.HashedPasswordFormat literally reads "DO NOT edit in production environment" — because changing it locks out existing accounts. This plugin fills exactly that gap, without touching core code.

Admin Dashboard

The plugin's Configure screen turns migration into a measurable, monitored process:

• Customers still on legacy SHA1 — accounts that will be upgraded on their next successful login.
• Customers migrated to SHA512 — accounts already stamped by this plugin.
• Most recent migration timestamp — a UTC marker so you can spot-check progress.
• Single or bulk password recovery dispatcher — for long-dormant accounts, trigger nopCommerce's standard password recovery flow without leaving the configuration screen.

Under the Hood

The plugin is built to be invisible to your codebase as well:

• Service replacement via DI: a new implementation of ICustomerRegistrationService is registered with a higher DI order than the core registration. No nopCommerce source files are modified — zero merge conflicts on future upgrades.
• Password upgrade handshake: at login, the plugin first attempts to validate the entered password against the stored SHA1 hash. On a match, it generates a fresh salt, rehashes with the store's current format (SHA512), and hands control to the standard validator. On a mismatch, it bows out silently — the normal failure path is preserved.
• Auditable: each successful upgrade stamps the customer with a PasswordMigratedOnUtc generic attribute and, optionally, writes one entry to nopCommerce's system log, prefixed with [PasswordMigration] for easy filtering.
• Safe-by-default bulk reset: the "send recovery email to all SHA1 users" action is disabled out of the box to prevent accidental mass-mailing. When enabled, a configurable batch size acts as a soft rate limit against your SMTP quotas.

Frequently Asked Questions

Will my customers notice anything?

No. The migration is invisible. The customer signs in with the same password they have always used; the login completes normally. The hash format change happens only in the database.

What about customers who have not logged in for a long time?

Those accounts remain in the dashboard counter until they sign in. When you want to flush them out, you can send the standard nopCommerce password recovery email — to a single customer from the Configure screen, or in bulk via a single click. As soon as the customer sets a new password, it is stored in SHA512 automatically.

Does this work on nopCommerce 4.70 or 4.80?

This build supports nopCommerce 4.90. Because the CustomerRegistrationService constructor signature changed between 4.80 and 4.90, separate builds are required for 4.70/4.80 and will be released as dedicated packages.

What happens if my store's password format is not SHA1 already?

The plugin upgrades only accounts whose current password row is a 40-character Hashed value — i.e. SHA1. If your store's global HashedPasswordFormat is still SHA1 the plugin takes no action (there is nothing to upgrade to). For every other configuration, the plugin activates automatically.

If I uninstall the plugin, do my migrated customers stay migrated?

Yes. Upgraded hashes are written to the standard nopCommerce password table; they do not depend on the plugin at runtime. Uninstall removes only the plugin's own settings and locale resources — customer data is untouched.

Compatibility

Support & License

The plugin is developed and supported by Red Bilisim. Your purchase includes the updates and support window described on the product page. The license is per-installation; redistribution and resale are not permitted.

For support and updates: software.redpazar.com