If you are using Commerce Server 10.0 and want to log in using old user profiles created back in Commerce Server 2002, you will get errors indicating the user password is not correct.
Commerce Server 2002 uses an MD5 hash algorithm to hash the user profile password. The password must be verified using MD5. Commerce Server 2007 and up uses SHA256 as the default user password hash algorithm. For the backward compatibility, users can specify more than one algorithm in the registry and the code will try to use the ones from the list to verify the password.
In Commerce Server 10.0, the registry root has been moved to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CommerceServer and HKEY_LOCAL_MACHINE\SOFTWARE\CommerceServer paths. The system still expects the HashVerificationAlgorithmList value from the Commerce Server 2009 / R2 path under Microsoft.
The problem is fixed in Commerce Server 10.1.
As a workaround for Commerce Server 10.0, users can manually create the following registry keys so that the hash algorithms can be discovered and applied by Commerce Server:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CommerceServer\9.0\Profiles]
"HashingAlgorithm"=dword:0000800c
"UnsafeAuthenticatedConnectionSharing"=dword:00000000
"HashVerificationAlgorithmList"="SHA256,MD5"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CommerceServer\9.0\Profiles]
"HashingAlgorithm"=dword:0000800c
"UnsafeAuthenticatedConnectionSharing"=dword:00000000
"HashVerificationAlgorithmList"="SHA256,MD5"