New EncryptPassword is using salt, any way to validate current password?

New EncryptPassword is using salt, any way to validate current password?

  

Hi,

On my personal cloud environment (10.0.200.2), Users module's EncryptPassword output was rather short and generate consistent password each time it was called.

But on my P10 .net stack 10.0.303.0, EncryptPassword output was very long and generate different password (with salts added) each time it was called.


My requirement for Change Password screen is to validate old/current password, in case users left their computer without locking screen first.

I think it is such a common practice of Change Password screen.

However, since everytime I called EncryptPassword different output was produced, I could not compare it to stored password in Users entity.


Is there any way to validate current password?

User_Login server action (or Do_Login client action) doesn't have output parameter to indicate a successful login programmatically.


I don't want to force user logout & then login again just to change password, because after changing password I need to make them to re-login. It will be too repetitive and not intuitive.


Thanks in advance.

Solution

Hi Harlin,


Check the PlatformPasswordUtils extension. It has a method to validate if the password matches.

I find it interesting that your personal has the old output as that change was introduced in previous major versions of the platform (not in these last revisions). Ill check my personal to see if it still has the legacy behavior as well.


Regards,

João Rosado

Solution

Hi João,

I still cannot validate the password.


ValidatePassword(Form.Record.OldPassword, GetUserById.List.Current.User.Password)


It always return false, when entering correct password.

Strange.


You are passing the first parameter as clear text and the second one is the one hashed from the database, right?

I did a quick test and all looks fine:


As you can see both Users.EncryptPassword and the one from PlatformPasswordUtils generated different hashes for the same password, but both validated ok.

 

Regards,
João Rosado

Hi, sorry it was my classic mistake...

I was referencing to screen's local variable instead of Form's Record variable.

ValidatePassword is working as intended, thank you.


Best Regards,

Harlin.