AW: [opencms-dev] Password encrypt ?

Vincent Knecht vince at iefr.ath.cx
Thu Oct 30 20:15:01 CET 2003 

Le jeu 30/10/2003 à 19:01, Stefan Delladio a écrit :
> hello again,
> 
> how is the 'normal' way to decrypt a password ?
> can i decrypt password with an function from the opencms api ?
> i must compare the password that i get from a url request
> with the password from the cms_user table...  

sorry for my post not being clear enough
please anyone correct me if i'm wrong, 'cause i don't know much about
java nor opencms specific programming

from what i know from passwords in computing, it's kind of bad to have
some symetrical relation beetween a 'clear' password and an encrypted
one (ie. if you can get clear pass from the encrypted one)

so the (general) solution is to:
1 get clear password from the user
2 encrypt it
3 compare with the previously stored encrypted password
4 if both stored and newly encrypted passwords match, grant access.
  if they do not match, the password the user gave is bad

so, as i don't know opencms api, i just 'greped' opencms webapp dir for
crypt and it gives me this:

history.txt:! The digest-method for encrypting passwords is now
available in the CmsObject.
history.txt:- Added opencms.property for file.encoding used to encode
encrypted passwords. This helps for...

-> so there IS a function call (or method, sorry :-) to encrypt

so i just think you should encrypt the password the user must give to
get access to your area (preferably before passing by url), then get
this and compare with the stored password.

this method hopefully prevent your user's passwords being sniffed on
network and eventually being reported (in clear) by webserver logs.

prolly looking at the /opencms/opencms/system/login panel source will
teach u more than i can (though i don't have a clue where it is)

can someone point this ?


> Le jeu 30/10/2003 à 18:23, Stefan Delladio a écrit :
> > Hi List,
> > 
> > for a private area on my project, i had to validate the password from
> > useres they are stored in the cms_users table in the mysql database.
> > but when i call the getPassword() function from an given user i only get the encrypted
> > password. is there any possibilty to decrypt the password ?
> > 
> 
> Hi
> 
> i doubt you can decrypt (in a 'normal' way) passwords, probably the
> solution is to ask the password once again, encrypt it and compare
> the result with the stored password
> 
> hope it helps and it's accurate ;-)

More information about the opencms-dev mailing list