58
Views
11
Comments
Solved
User Password Retrive
Question

Hi All,

Can anyone tell me how to retrieve user password in Out system.

As i have encrypt password in User Entity but how can i decrypt password.


Please Suggest me.

Thanks


mvp_badge
MVP
Rank: #19
Solution

Hi Amogh Mishra,

OutSystems follows industry best practices here and does not store passwords in the database. It stores a hash of the password that cannot be used to recover the original password. When it needs to check if the user inserted the right password, it just applies the same hashing algorithm to the inserted password and compares that to what is stored in the User record.

If you need to store sensitive information in a retrievable format, you may want to check other alternatives like using the CryptoAPI forge component.

Hope this helps!

Rank: #89

Hi Amogh,

I dont think so you can decrypt user password you have only option to validate password of use.

You need to use "Password Platform Utils" from refrences and get validate password action from here.


Regards

Rahul Sahu

Rank: #5433

Hi Amogh,

I really doubt there would be such a decryption mechanism else it would allow you to decrypt any other user's password from user entity.

Maybe you can have a look at the user module just in case you are planning to reset your password.


Thanks.

Rank: #177

Hi Amogh,

You can look CryptoAPIDemo (dependence of CryptoAPI) and try use Encript & Decript.

https://www.outsystems.com/forge/component-overview/4554/cryptoapi-demo

https://www.outsystems.com/forge/component-overview/437/cryptoapi 

Regards.

Rank: #13771

@Jorge and @Rahul,

Thanks , i understood, as @Rahul provided solution is work in one case,

@Jorge, can we store same password in our decrypt from in one table and map accordingly to User entity.

and if admin want see original pwd so i can see from this table.


Thanks

Amogh

mvp_badge
MVP
Rank: #19

@Amogh,

That would be a HUGE security risk.

It is possible to store whatever you want in one of your own entities, fo course, but in order to store the unencrypted password you would need to do it before it's encrypted and saved on the User record.

Programmatically this would be fairly simple (if your application UI is used to retrieve the user details in order to create it in the system), but if users are created via the Users application, then you won't be able to get the original password.

Rank: #13771

Thanks @Jorge.

Got it your concern.


Thanks

Amogh

mvp_badge
MVP
Rank: #2

I cannot state enough what Jorge also said: YOU SHOULD NEVER EVER EVER DO THIS. Users expect their passwords to be safe, nobody should EVER have access to them. EVER. Don't even think of doing this. Really.


Rank: #5982

Outsystems encrypts the password with MD5. MD5 by default cannot be decrypted.

It is not at all recommended to decrypt the password, due to security standards, but if you want there are sites that decrypt the MD5 hash.

https://www.md5online.org/md5-decrypt.html

mvp_badge
MVP
Rank: #19

Guilherme,


MD5 is not “decryptable” as it is a one-way process, and more than one original value can lead to the same hashed result. Regardless, as far as I know it’s no longer the standard hashing algorithm used by OutSystems, all modern versions of the platform now employ SHA512 with a salt

The site you linked  will likely try to brute-force guessing the original value by using a dictionary (a database of words/possible passwords), apply the hashing algorithm to each of its contents and compare with the hashed value (just like the platform does to validate passwords).

Please, like I mentioned and Kilian reinforced, storing passwords unencrypted in the database is something you DO NOT DO (you violate all expectations from everyone regarding passwords and leave the door open to monumental breach of information), decrypting a hashed password is something YOU CANNOT DO (mathematically it’s not possible)

mvp_badge
MVP
Rank: #2

Indeed. I'm going to close this topic now, everything that needs to be said has been said.