password encryption

Answers

Hi William,

Caché does not store plaintext passwords. All passwords are hashed prior to storage, and the passwords hashes are then compared. More information about password security can be found in the "Caché Authentication" portion of the documentation: http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=...

 

Caché stores only irreversible cryptographic hashes of passwords. The hashes are calculated using the PBKDF2 algorithm with the HMAC-SHA-1 pseudorandom function, as defined in Public Key Cryptography Standard #5 v2.1: “Password-Based Cryptography Standard.”  The current implementation uses 1024 iterations, 64 bits of salt, and generates 20 byte hash values.  There are no known techniques for recovering original passwords from these hash values.

 

William

As usual it depends what you are trying to do.

Cache passwords may take care of themselves but I have a Web Portal that does not use the cache logon process.

I save the HashEncryption in the string property. As Far as I know this cannot be decrypted

set obj=##class(abc.portal.objPortalAccount).%OpenId(PortalAccountId)
set obj.sPassword=##class(abc.util.Encryption).HashEncryption(Password)
set sc=obj.%Save()

On the next login I encrypt the entry field and compare to the original established version.

When the Web user estabilshes his account, he enters the Email address that I need to prove.

I return an email to that address with a url and a coded string to continue with the challenge.

set Return=##class(abc.util.Encryption).Base32Encode(Return)

This can be decrypted within  the web page when it is retuned attached to the URL and this allows me to validate the retuning process.

set Return=##class(abc.util.Encryption).Base32Decode(Return)

Once all this has been extablished I invite the users prefered Password and save it with the HashEncryption it then becomes non readable.

 

Hope this helps.

Comments

cache users.  We are concerned because we were able to use the utility stzzpass to display the passwords.

Can you please provide more information about this utility. Google shows no results for query 'stzzpass'

This is not a Caché utility - it must be supplied by your application partner.  Also, the AP must be storing their own users at the application level because if they were using Caché users there would be no way to create a utility that shows Caché users' passwords (see Patrick's answer below).

I suggest you reach out to your application partner with this question (or if it is an inhouse development, speak with the development team)