Author Topic: Where are user passwords stored? (Read 15426 times)

Boron · « **on:** April 19, 2018, 07:43:12 pm »

In EA 11 Sparx has changed to a SHA hash of the user security passwords.
Along with that change, the storage location of the user passwords has changed. Before the passwords where in table t_secuser, now they are somewhere else.
Does anybody know where the passwords are stored?

PeterHeintz · « **Reply #1 on:** April 19, 2018, 08:53:10 pm »

Hi Boron, in my 1310 build it seems still to be stored in the table t_secuser.

Boron · « **Reply #2 on:** April 19, 2018, 10:18:28 pm »

It is true that there is still a column named "passwd", but that is the old password hash that has been used before EA 11.
Somehwere else are the new SHA hashes,but not in t_secuser

Boron · « **Reply #3 on:** April 20, 2018, 12:19:22 am »

I found the new password storage.
It is in table t_xref. All entries with name = 'SHA-256' are passwords of users in table t_secuser (passwords that have been created with EA version >= 11).
The guid of a user can be found in t_xref.client.

Maybe this information also helps anyone else

.

Uffe · « **Reply #4 on:** April 20, 2018, 12:46:49 am »

Ha!

I was gonna say, as a joke, "it's probably in t_xref."

/Uffe

qwerty · « **Reply #5 on:** April 20, 2018, 06:13:54 am »

Yes, definitely useful information. Will add that to the next book release...

q.

steen.jensen · « **Reply #6 on:** April 20, 2018, 08:22:10 pm »

To Qwerty
Is your book about Scripting in EA updatet to EA v 13.x ?

Regards
Steen Jensen

qwerty · « **Reply #7 on:** April 20, 2018, 10:02:50 pm »

Well, not really. There is no real need for that. It's just that EA adds a few API calls which only get relevant in specific areas. And my book is a general approach to EA's API which has not changed. Anyhow, every now and then I try to update the API description in the book with my own experience on their usage (which quite often is not that positive).

q.

horszasz · « **Reply #8 on:** August 06, 2020, 04:33:02 pm »

Hi there,

I have the same question: we need to integrate EA with our enterprise identity management toolset. Since winauth is no good for all of the use cases, the only way is if we replicate the user passwords from IDM directly into EA repository DB.

Does anybody have any news in this topic? It seems not to be very complicated, the only question is, what obfuscating method is used by EA for the passwords....

Thanks for all in advance!

Eve · « **Reply #9 on:** August 07, 2020, 10:52:53 am »

Quote from: horszasz on August 06, 2020, 04:33:02 pm

Does anybody have any news in this topic? It seems not to be very complicated, the only question is, what obfuscating method is used by EA for the passwords....

Not obvious enough? The Name of the xref is accurate. It's a SHA256 hash.

horszasz · « **Reply #10 on:** August 07, 2020, 04:52:09 pm »

Eve,

No, not really

Unfortunately the question is a little bit more complicated.

Please let me analyse the question short

Actually an SHA-256 hash is 32 bytes long, but the values in column xref.supplier are 44 bytes long. Okay, quite simple: the values are base64 encoded.

BUT! If I use the Password "Password",
...It's SHA-256 hash (hex) is: E7 CF 3E F4 F1 7C 39 99 A9 4F 2C 6F 61 2E 8A 88 8E 5B 10 26 87 8E 4E 19 39 8B 23 BD 38 EC 22 1A
...with base64 encoding this 32 bytes i will come to: 588+9PF8OZmpTyxvYS6KiI5bECaHjk4ZOYsjvTjsIho=
...unfortunately xref.supplier contains: R9Bqf629Fwrn3K7mCXcXcQzDJ/+AB2MPUr5iBTq5LK4=

As you can see, the value in xref.supplier is different from the SHA-256 hash of the password. So, the hashed string MUST be different from the password. The question is: How different?

If I create two users with the same password "Password", the field in xref.supplier will contain different values for the two users: it means, the password must be "salted" with some user details. To find out how it is salted, seems to be near impossible.

So, I must say: NO, it's not obvious enough!

Regards,
Gergely

qwerty · « **Reply #11 on:** August 07, 2020, 05:47:10 pm »

I doubt they publish that. Since if so it will be easy to create a new admin password and replace it. Alas, since having direct access to the DB anyway, any "security" measures are pointless.

q.

Uffe · « **Reply #12 on:** August 07, 2020, 06:01:34 pm »

Shh!

Don't start pointing out the complete absence of anything like security in this product.
All that will get you is shat on from a dizzying height.

/U

qwerty · « **Reply #13 on:** August 07, 2020, 06:19:46 pm »

I was sent to hell eons ago.

q.

Geert Bellekens · « **Reply #14 on:** August 07, 2020, 06:40:47 pm »

But it's a good thing they started salting the hash. They didn't do that a few versions ago.
That at least makes it less likely to figure out someones password with a rainbow table.

It doesn't really make EA any more secure, but since people tend to re-use passwords, being able to figure out passwords from the hashes is a significant security risk.

Using Windows Authentication (or OpenID? Never used that one) of course much better as EA doesn't have to do any password encryption anymore.

Geert

Sparx Systems Forum

News: