Chand,
So what are you proposing? If we did this, how would the one-way encryption process and checking process work?
This is a VERY standard part of one way encryption. It's not a security flaw in any way. One-way password encryption is vulnerable to dictionary attacks in pretty much all systems, and especially if you have direct access to the password file or table. That includes pretty much all operating systems as well.
If you're really curious, I recommend finding a good book on the topic. With OFBiz we just use well established industry practices, we're not in the business of inventing new encryption standards or security processes.
-David On Jan 25, 2007, at 4:03 AM, Chandresh Turakhia wrote:
Andrew & Drew, May I bring to light an different aspect of password generation :It generates the **same** "encrypted password" every time. e.g "test" may generate "XYXQ1111" . for the next test as password it will also generate "XYXQ1111".I needed to stop user from registering with standard passwords like "test" ; "test123" ; "bharti" etc. All I had to do is run the program which checks for these "standard generated passwords" and check with "generated user entered password" in batch or online. It case string matches , stop him from completing the process. I admit it was really dirty hack.This is debatable issues - It is feature or bug :) Ofbiz being Open source ; it has far more implication.Can password generation be parameterized so the generated password is different.Chand ----- Original Message ----- From: "Andrew Sykes" <[EMAIL PROTECTED]> To: <dev@ofbiz.apache.org> Sent: Wednesday, January 24, 2007 8:08 AM Subject: Re: How do I decrypt passwords?Drew, I believe the encryption is asynchronous, i.e. not reversible. - Andrew On Wed, 2007-01-24 at 10:33 -0500, Stephens, Drew wrote:I have a question about decrypting passwords from the User_Login table.We need to prepare a file of User ID and passwords to an externalsystem, I think I have found the programming used to encrypt and save the password to the database but I could find not any logic to decryptthe password. Obviously, if we can't decrypt we can't provide the password. I don't want to reverse engineer the encryption logic andthen write a new decryption logic; I want to use something that alreadyexists.We are running an old version of OFBIZ, I think 1.1 but I don't rememberexactly how to find out for sure. Thanks for any help you can provide. Drew Stephens Rippe & Kingston Systems, Inc. [EMAIL PROTECTED] Phone: (513) 977-4573 Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696==================================================================== ===========-- Kind Regards Andrew Sykes <[EMAIL PROTECTED]> Sykes Development Ltd http://www.sykesdevelopment.com
smime.p7s
Description: S/MIME cryptographic signature