New EncryptPassword is using salt, any way to validate current password?

New EncryptPassword is using salt, any way to validate current password?

  

Hi,

On my personal cloud environment (10.0.200.2), Users module's EncryptPassword output was rather short and generate consistent password each time it was called.

But on my P10 .net stack 10.0.303.0, EncryptPassword output was very long and generate different password (with salts added) each time it was called.


My requirement for Change Password screen is to validate old/current password, in case users left their computer without locking screen first.

I think it is such a common practice of Change Password screen.

However, since everytime I called EncryptPassword different output was produced, I could not compare it to stored password in Users entity.


Is there any way to validate current password?

User_Login server action (or Do_Login client action) doesn't have output parameter to indicate a successful login programmatically.


I don't want to force user logout & then login again just to change password, because after changing password I need to make them to re-login. It will be too repetitive and not intuitive.


Thanks in advance.

Solution

Hi Harlin,


Check the PlatformPasswordUtils extension. It has a method to validate if the password matches.

I find it interesting that your personal has the old output as that change was introduced in previous major versions of the platform (not in these last revisions). Ill check my personal to see if it still has the legacy behavior as well.


Regards,

João Rosado

Solution

Hi João,

I still cannot validate the password.


ValidatePassword(Form.Record.OldPassword, GetUserById.List.Current.User.Password)


It always return false, when entering correct password.

Strange.


You are passing the first parameter as clear text and the second one is the one hashed from the database, right?

I did a quick test and all looks fine:


As you can see both Users.EncryptPassword and the one from PlatformPasswordUtils generated different hashes for the same password, but both validated ok.

 

Regards,
João Rosado

Hi, sorry it was my classic mistake...

I was referencing to screen's local variable instead of Form's Record variable.

ValidatePassword is working as intended, thank you.


Best Regards,

Harlin.

Guys,


I know that this is marked resolved. However, I just wanted to note that, like Harlin, I was storing a temporary password as well in the same manner. This functionality was working perfectly until I upgraded to OutSystems 11 for the latest release of OutSystems 10. I wasn't aware that this change was made prior to OutSystems 11. I'm sure the ValidatePassword suggestion will work for me as well.


Love the community!! :-)

Oh, sorry about that. Kind of my fault and it was a followup of this thread.


The change only affects personal cloud environments and removes the legacy hashing melhod from being used on new/modified passwords to increase the security on the personals.


This configuration was not supported in enterprise environments and this breaking change (of not being possible to compare password hashes) was already listed on the breaking changes document for version 9.1, so it was not included again in the breaking changes and side effects document for 11.


Regards,

João Rosado