Chand, Perhaps Andy Zeneski will comment on this as he's been doing a lot of work on the security stuff recently.
It seems like a good idea, but perhaps I'm missing something... - Andrew On Thu, 2007-01-25 at 03:03 -0800, Chandresh Turakhia wrote: > Andrew & Drew, > > May I bring to light an different aspect of password generation : > > It generates the **same** "encrypted password" every time. > e.g "test" may generate "XYXQ1111" . for the next test as password it > will also generate "XYXQ1111". > > I needed to stop user from registering with standard passwords > like "test" ; "test123" ; "bharti" etc. All I had to do is run the > program which checks for these "standard generated passwords" and > check with "generated user entered password" in batch or online. It > case string matches , stop him from completing the process. I admit > it was really dirty hack. > > This is debatable issues - It is feature or bug :) Ofbiz > being Open source ; it has far more implication. > > Can password generation be parameterized so the generated > password is different. > > Chand > > > ----- Original Message ----- > From: "Andrew Sykes" <[EMAIL PROTECTED]> > To: <dev@ofbiz.apache.org> > Sent: Wednesday, January 24, 2007 8:08 AM > Subject: Re: How do I decrypt passwords? > > > > Drew, > > > > I believe the encryption is asynchronous, i.e. not reversible. > > > > - Andrew > > > > On Wed, 2007-01-24 at 10:33 -0500, Stephens, Drew wrote: > >> I have a question about decrypting passwords from the User_Login > table. > >> We need to prepare a file of User ID and passwords to an external > >> system, I think I have found the programming used to encrypt and > save > >> the password to the database but I could find not any logic to > decrypt > >> the password. Obviously, if we can't decrypt we can't provide the > >> password. I don't want to reverse engineer the encryption logic > and > >> then write a new decryption logic; I want to use something that > already > >> exists. > >> > >> We are running an old version of OFBIZ, I think 1.1 but I don't > remember > >> exactly how to find out for sure. > >> > >> Thanks for any help you can provide. > >> > >> > >> Drew Stephens > >> Rippe & Kingston Systems, Inc. > >> [EMAIL PROTECTED] > >> Phone: (513) 977-4573 > >> > >> Visit us at: www.rippe.com > >> > >> 1077 Celestial Street, Cincinnati, Ohio 45202-1696 > >> > >> > ======================================================================== > >> ======= > >> > >> > > -- > > Kind Regards > > Andrew Sykes <[EMAIL PROTECTED]> > > Sykes Development Ltd > > http://www.sykesdevelopment.com > > > > -- Kind Regards Andrew Sykes <[EMAIL PROTECTED]> Sykes Development Ltd http://www.sykesdevelopment.com
