Decrypt and retrieve the login password

Decrypt and retrieve the login password

  

Once i login into the application the password seems to be encrypted and stored in the user table. How do I decrypt and rerieve the login password in out systems applicaiton?


Thanks,

Joga

erm, you do not.

not wise to be able to decrypt password..


simply reset it.


J. wrote:

Actually i want to retrieve the username and password from the application Login and pass it in the ajax call for Consuming a REST interface with Basic authentication. I am able to get the Username from the session Variable but the password in the user table seems to encrypted.

erm, you do not.

not wise to be able to decrypt password..


simply reset it.




Srinivasa Commuri wrote:

J. wrote:

Actually i want to retrieve the username and password from the application Login and pass it in the ajax call for Consuming a REST interface with Basic authentication. I am able to get the Username from the session Variable but the password in the user table seems to encrypted.

erm, you do not.

not wise to be able to decrypt password..


simply reset it.




Hello Srinivasa


As J. referred, you should not attempt to decrypt the password. If you're designing an application intergration that requires you to decrypt the password, then you should redesign the solution.


Also, the users passwords are stored in the database using security best practices: they are hashed and not encrypted, to not allow to be decrypted. So you can't decrypt the user password from the OutSystems built-in users model.

What kind of integration are using? Is it for the same system, or a different system?


Cheers



Hello Srinivasa

If you are integrating with a different system you can encrypt and save password of this system and after decrypt. But this is strange because because if you have control of this system I think is better to generate a Access Token to you API and ever necessary reset this Access Token.

Indeed, it would be very unwise to send a password used in the Platform via REST to some external service (especially since Basic Authentication sends the password as plain text (even though the connection itself should be secure and the password is Base64 encoded)).

i have got the same situation where the user credentials from outsystems need to be validated at one of the exchange server to perform some actions. Exchange server exposes an API which requires username and password to validate. Do we have any such mechanism in place now with which we can get username and password so as to authenticate ? I am asking this now as the above thread is one year old and i hope there is any solution to this now. 

There is no solution, because you don't want that.

Decryption of passwords is a big nono still.


All you can do, is asking the user to type in the password and then call that exhange-action.

Then you will have plain password which you can pass around..

security wise I doubt it is allowed...




Solution

Debasis Sahoo wrote:

i have got the same situation where the user credentials from outsystems need to be validated at one of the exchange server to perform some actions. Exchange server exposes an API which requires username and password to validate. Do we have any such mechanism in place now with which we can get username and password so as to authenticate ? I am asking this now as the above thread is one year old and i hope there is any solution to this now. 

"That's not the solution you are looking for" - Obi Wan Codenobi


Like it has been said before, you won't be able to decrypt the passwords and that's by design. Passwords are stored hashed so they can't be fetched.

If you want to not have the user type in the password for each access to an external provider, you should be looking into token based authentication like oAuth for web services. If you want to have the same password for different applications or systems, you should look into external authentication providers.

Solution

Thank you for the suggestion Rui. I better try to implement external authentication providers.