hybris: Import encoded password through impex - sap-commerce-cloud

In Hybris 6 -
How can we import encoded password from csv file to our database through impex by using password encoder: pbkdf2 so that password will store in database as same as in impex. But we can login into site with normal password?
I have tried to put hash value in impex and written ;#password[translator=de.hybris.platform.impex.jalo.translators.UserPasswordTranslator] as attribute in impex. When I have tried to login with normal password, it is giving number format exception with encoded value.
Please help me, how can I import encoded password?

I guess the correct way to import encoded password would be :
insert_update Employee;encodedPassword;passwordEncoding;
;<your_encoded hash>;pbkdf2
But I fear you'll have trouble to authenticate if the provider of the password is different from the entity that will check passwords.
You can take a look at this post where you can find a PBKDF2 implementation in Java. Maybe you'll have to customize hybris behaviour to validate your passwords.

Related

Using a data source for a Web performance test that is encrypting password

In my visual studio webtest I currently have a password field that encrypts the password after i recorded it. I wanted to data drive my web-test so i data bind the form's post parameter with my data source that is not encrypted which is failing the webtest, since its putting in the plain password instead of the encrypted password since the recorder recorded the encrypted password.
What are my options to be able to data drive the test with the different user name using my plain password or is there a way for me to encrypt the password even not knowing what is used to encrypt the password. Thanks.

Password Migration from Django to Mysql

Hello I have my existing web application in Django. Now I am migrating to node js and I am using the bcrypt algorithm for hashing the password. So, the problem is: In Django , it uses pbkdf2_sha256 algorithm for storing password. How do I migrate password from Django so that my matching algorithm match the peviously stored password correctly?
Use the node.js crypto.pbkdf2 function, see crypto.pbkdf2. PBKDF2 is the suggested passsword hashing method in the NIST SP 800-63-3 Draft document.

How does Hybris salt its MD5 password hashes?

Hybris (version 5.1) can store user passwords in the clear (the default), or using MD5. The MD5 option is not a straight MD5 hash of the password, so i suspect some kind of "salting" is involved. But what? My goal is to be able to write a password reset application that can write new random passwords to the hybris database in MD5 mode (not in the clear).
Getting a little closer: I know that my configuration is using core.saltedMD5PasswordEncoder, and that the value of the salt is set in hybris/bin/platform/ext/core/resources/core-spring.xml
Still, without the source for saltedMD5PasswordEncoder, i may not get very far.
Hybris supports more than one password encoding schema. Which schema or strategy is actually used depends on your configuration.
You will have to look up the documentation for your password encoding strategy to see how the fields are mapped.
Usually a salt is randomly generated for each user and stored together with the password in the same object (database row).
Furthermore MD5 should not be used anymore. It is broken beyond repair and a salt will not fix it.
Please consult the hybris documentation on password encoding https://wiki.hybris.com/display/release5/Password+Storage+Strategies
and stack overflow for password storage best practices.

Passwords MD5 encoded without salt. How to fix it?

I have a system where users can signup by Facebook or by a regular form. If user signup by Facebook, my system generates a random password, just to allow user to log-in without Facebook if he wants. If user signup using regular form, he can type any password he wants. In both ways, password are encoded into a MD5 hash, but without salting. It's is insecure, I know, this is the reason i'm here.
I don't know the best strategy to convert the passwords into secure ones... First i'm thinking to keep the MD5 insecure password, and when user log-in, i can match the password without salt, salt-it, and then update the database. But it doesn't solve my problem, because system will still accept the insecure password. Besides that, user can still log-in using facebook, witch do not allow me to update their password (since he didn't used it).
So, have anybody an idea to minimize the impact instead of just force everyone to update the passwords?
Thanks!
So, I've done the following actions to solve my problem.
Created a column "LastPasswordChange" in users table.
When user changes password, the field is updated with current date, ALSO, an e-mail is sent to user to inform that password was changed, with a link to revert it in case of this is wrong (due to a possible hack).
The e-mail allow user to log in and set a new password without knowing the last used.
When user log-in using the current password, it looks to the LastPasswordChange field, and if it is null, it allow the login without using the salt.
In any way he/she logs in (Facebook or Login/pass), system looks to the LastPasswordChange field, and if it is null, system requires user to change the current password to a different one (not match the old one without salt).
That's it.

Security issues in accepting passwords vs auto generating the password

I am developing a console application. This application generates a self signed certificate and installs it in the current machine's certificate store.
The steps involved are :-
Generate a certificate
Create a pfx file
Install the pfx file
For these steps, I would need a password for protecting the private key and the pfx file.
However these passwords are used only during the execution of the exe.
Should I auto generate a password using some random number generation algorithm or accept the password as input from the user?
What are the security issues involved in both the scenarios?
Thanks for all the replies. Life time of the password is only till the pfx file gets generated. The program deletes the pfx file after installing it in the windows certificate store. In such a scenario I guess accepting password from user would not offer any security advantage over auto generating it.
I would like to add to this question further.
Once the password is available to the program how do u secure this password for its lifetime ? I am using .net and have read about secure strings in .net. But the secure string would have to be built from the string which doesn't solve the problem.
the code snippet looks like
string password = AutoGenerateOrGetPassword();
GenerateCertificateAndInstall(password);
How does one protect the password which is stored in memory during its lifetime ?
There shouldn't be any major security level difference or issues whether you auto generate or use a given password.
However, using an auto generated password will guarantee you a certain level of password complexity - this reduces to chances of brute force attack.
Using a given password would mean that someone (physically) knows the password. You won't know how complex the password user entered is going to be. Giving a password 'AAAA' will probably be less secure than a password that is given 'W0R!$%3D'.
Are you going to show the auto-generated password if it is done auto-generated manner?
I'd suggest that you go according to your software requirements. If this is not stated in the requirements, allow the user to choose between auto-generated or enter password.
I think a discussion "accepting passwords vs auto generating the password" is meanless in the context of your qestion if you make shure that the pfx-file is deleted after the import. It will only exist until beeing imported into "machine's certificate store."
If the pfx-file must be backed up or transferd via email/usbstick i prefer the "accepting passwords form user" variant because
Providing an inputform for the password plus implementing some logigic to make shure that the password ist strong enougn is easier than organizing that the user gets its pfx-file and the corresponding password via two independet channels. Sending pfx + password in one email is as secure as having no password at all.

Resources