AW: [opencms-dev] Password encrypt ?

Fri Oct 31 09:24:01 CET 2003

Yes - I don't think you can decrypt MD5 crypted password.

Regards,

Olli

> -----Original Message-----
> From: opencms-dev-admin at opencms.org
> [mailto:opencms-dev-admin at opencms.org]On Behalf Of Vincent Knecht
> Sent: 30 October 2003 18:43
> To: opencms-dev at opencms.org
> Subject: Re: AW: [opencms-dev] Password encrypt ?
>
>
> Le jeu 30/10/2003 à 19:01, Stefan Delladio a écrit :
> > hello again,
> >
> > how is the 'normal' way to decrypt a password ?
> > can i decrypt password with an function from the opencms api ?
> > i must compare the password that i get from a url request
> > with the password from the cms_user table...
>
> sorry for my post not being clear enough
> please anyone correct me if i'm wrong, 'cause i don't know much about
> java nor opencms specific programming
>
> from what i know from passwords in computing, it's kind of bad to have
> some symetrical relation beetween a 'clear' password and an encrypted
> one (ie. if you can get clear pass from the encrypted one)
>
> so the (general) solution is to:
> 1 get clear password from the user
> 2 encrypt it
> 3 compare with the previously stored encrypted password
> 4 if both stored and newly encrypted passwords match, grant access.
>   if they do not match, the password the user gave is bad
>
> so, as i don't know opencms api, i just 'greped' opencms webapp dir for
> crypt and it gives me this:
>
> history.txt:! The digest-method for encrypting passwords is now
> available in the CmsObject.
> history.txt:- Added opencms.property for file.encoding used to encode
> encrypted passwords. This helps for...
>
> -> so there IS a function call (or method, sorry :-) to encrypt
>
> so i just think you should encrypt the password the user must give to
> get access to your area (preferably before passing by url), then get
> this and compare with the stored password.
>
> this method hopefully prevent your user's passwords being sniffed on
> network and eventually being reported (in clear) by webserver logs.
>
> prolly looking at the /opencms/opencms/system/login panel source will
> teach u more than i can (though i don't have a clue where it is)
>
> can someone point this ?
>
>
> > Le jeu 30/10/2003 à 18:23, Stefan Delladio a écrit :
> > > Hi List,
> > >
> > > for a private area on my project, i had to validate the password from
> > > useres they are stored in the cms_users table in the mysql database.
> > > but when i call the getPassword() function from an given user
> i only get the encrypted
> > > password. is there any possibilty to decrypt the password ?
> > >
> >
> > Hi
> >
> > i doubt you can decrypt (in a 'normal' way) passwords, probably the
> > solution is to ask the password once again, encrypt it and compare
> > the result with the stored password
> >
> > hope it helps and it's accurate ;-)
>
>
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.532 / Virus Database: 326 - Release Date: 27/10/2003
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.532 / Virus Database: 326 - Release Date: 27/10/2003