password management

  

I am new to OutSystems... Is there a recommended way to store and manage end-user passwords securely using the OutSystems platform for both Web and Mobile?

Hi Minyan Mensch,

To store password securely you can use Salted Password Hashing (Always hash on the server)

To Store a Password

  1. Generate a long random salt (Here salt is a random string with any combination).
  2. Prepend the salt to the password and hash it with a standard password hashing function (https://success.outsystems.com/Documentation/10/Reference/OutSystems_APIs/PlatformPasswordUtils_API)
  3. Save both the salt and the hash in the user's database record.

To Validate a Password

  1. Retrieve the user's salt and hash from the database.
  2. Prepend the salt to the given password and hash it using the same hash function.
  3. Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect.


Thanks,

Amit

Hi Minyan Mensch,

Like Amit mentions, the typical way of storing and validating user passwords in a database is by storing a salted hash of the password. This makes it a lot harder for someone that manage to get access to your database to be able to determine what are the passwords. The platform implements this mechanism for User creation (through the Users application) and User login.

If you want you can add a reference to the EncryptPassword function/action of the Users module, it receives a username and password and will return the salted hash for that password. This is the same encryption algorithm that is used by the User_Login action used on the Login screen of your applications