Decrypt and retrieve the login password

Once i login into the application the password seems to be encrypted and stored in the user table. How do I decrypt and rerieve the login password in out systems applicaiton?


Thanks,

Joga

erm, you do not.

not wise to be able to decrypt password..


simply reset it.


J. wrote:

Actually i want to retrieve the username and password from the application Login and pass it in the ajax call for Consuming a REST interface with Basic authentication. I am able to get the Username from the session Variable but the password in the user table seems to encrypted.

erm, you do not.

not wise to be able to decrypt password..


simply reset it.




Srinivasa Commuri wrote:

J. wrote:

Actually i want to retrieve the username and password from the application Login and pass it in the ajax call for Consuming a REST interface with Basic authentication. I am able to get the Username from the session Variable but the password in the user table seems to encrypted.

erm, you do not.

not wise to be able to decrypt password..


simply reset it.




Hello Srinivasa


As J. referred, you should not attempt to decrypt the password. If you're designing an application intergration that requires you to decrypt the password, then you should redesign the solution.


Also, the users passwords are stored in the database using security best practices: they are hashed and not encrypted, to not allow to be decrypted. So you can't decrypt the user password from the OutSystems built-in users model.

What kind of integration are using? Is it for the same system, or a different system?


Cheers



Hello Srinivasa

If you are integrating with a different system you can encrypt and save password of this system and after decrypt. But this is strange because because if you have control of this system I think is better to generate a Access Token to you API and ever necessary reset this Access Token.

Indeed, it would be very unwise to send a password used in the Platform via REST to some external service (especially since Basic Authentication sends the password as plain text (even though the connection itself should be secure and the password is Base64 encoded)).

i have got the same situation where the user credentials from outsystems need to be validated at one of the exchange server to perform some actions. Exchange server exposes an API which requires username and password to validate. Do we have any such mechanism in place now with which we can get username and password so as to authenticate ? I am asking this now as the above thread is one year old and i hope there is any solution to this now. 

There is no solution, because you don't want that.

Decryption of passwords is a big nono still.


All you can do, is asking the user to type in the password and then call that exhange-action.

Then you will have plain password which you can pass around..

security wise I doubt it is allowed...




Debasis Sahoo wrote:

i have got the same situation where the user credentials from outsystems need to be validated at one of the exchange server to perform some actions. Exchange server exposes an API which requires username and password to validate. Do we have any such mechanism in place now with which we can get username and password so as to authenticate ? I am asking this now as the above thread is one year old and i hope there is any solution to this now. 

"That's not the solution you are looking for" - Obi Wan Codenobi


Like it has been said before, you won't be able to decrypt the passwords and that's by design. Passwords are stored hashed so they can't be fetched.

If you want to not have the user type in the password for each access to an external provider, you should be looking into token based authentication like oAuth for web services. If you want to have the same password for different applications or systems, you should look into external authentication providers.

Thank you for the suggestion Rui. I better try to implement external authentication providers.

Dear All

How to asterisk this password ? 

This password is visible when you have successfully logged in login page



Hothorasman Panjaitan wrote:

Dear All

How to asterisk this password ? 

This password is visible when you have successfully logged in login page



That's the login HTTP request that is sent when you login right? That's supposed to be there. You have to send the password to the server for validation. 


Rui Covelo wrote:

Hothorasman Panjaitan wrote:

Dear All

How to asterisk this password ? 

This password is visible when you have successfully logged in login page



That's the login HTTP request that is sent when you login right? That's supposed to be there. You have to send the password to the server for validation. 


 Dear Rui Covelo,

That's the login HTTP request that is sent when you login right? - Right

How do you send a password that must be validated? Do I have to Encrypt from the start?



No. You don't have to do anything. That's just how it works. The user types in the password and clicks "Login". The user name is sent over to the server, the server hashes the password and compares to the hash in the database. If they are equal, the login is valid. 

Mind that the password is sent over an encrypted HTTPS channel. You are only able to see that because you are using the browser developer tools which are able to access that information before it is sent over to the server. If you were eavesdropping on the internet, you wouldn't be able to see the password.


PS: actually, that looks like Burp? burp does a man-in-the-middle attack. You had to trust burp's certiticate in order to do that. That's why you are able to see the password. 

Dear Rui Covelo,

I encrypted it but it didn't work


You don't have to encrypt it. You MUST NOT encrypt it. The password has to be sent in clear text back to the server. 


I'm not sure what are you trying to accomplish. Are you creating a custom login page?



Dear  Rui Covelo,

I'm not sure what are you trying to accomplish. Are you created a custom login pag -> No, i using LayoutLogin

Hothorasman Panjaitan wrote:

Dear  Rui Covelo,

I'm not sure what are you trying to accomplish. Are you created a custom login pag -> No, i using LayoutLogin

I don't recognise ActGetLoginForWeb as a system login. 

But in any way, you are not supposed to encrypt the password.


I'm going to close this topic, as the original question is over three years old, and has been answered already.

@Hothorasman: your problem is not related to the original question, and it has been explained what your problem is. (tl;dr yes of course passwords are sent in plain text, but over a secure connection, so you can't see them, unless you a) look in the browser directly or b) install man-in-the-middle software like seemed to have done)