You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by CGrantAnderson <ga...@incomm.com> on 2010/07/07 00:55:56 UTC

Comparing ofBiz Hashed Passwords in .NET

I am working on an application that wants to leverage the ofBiz user logins
to allow ofBiz users to automatically logon to another application developed
in .NET ASP.NET.  The ASP.NET application gets a login from the user and
then accesses a copy of the ofBiz user login table to compare passwords for
login validation.  I have the .NET code creating a SHA-1 password hash but
it does not compare properly to the encrypted passwords in ofBiz.  I wrote
some test Java code and determined that it's version of SHA-1 is the same as
the .NET version hash.  So it looks like a salt is being used but none of
the ofBiz developers where I work can point out how to find the salt value
or help me with this.  I have looked through the login code and it looks
like a straight SHA-1 hash using MessageDigest.  But then the hashed
passwords should match but they don't.

Can someone tell me what (and where) the salt value is that is being used? 
Or if I'm missing something here what it is?  And possibly point me to where
in the documentation this is covered (if it is)?

Thanks!

   - Grant
-- 
View this message in context: http://ofbiz.135035.n4.nabble.com/Comparing-ofBiz-Hashed-Passwords-in-NET-tp2280296p2280296.html
Sent from the OFBiz - Dev mailing list archive at Nabble.com.

Re: Comparing ofBiz Hashed Passwords in .NET

Posted by Scott Gray <sc...@hotwaxmedia.com>.

How old is the OFBiz instance?  The hex encoding was messy a few years back which resulted in unexpected results but that's been fixed for a while now.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 7/07/2010, at 10:55 AM, CGrantAnderson wrote:

> 
> I am working on an application that wants to leverage the ofBiz user logins
> to allow ofBiz users to automatically logon to another application developed
> in .NET ASP.NET.  The ASP.NET application gets a login from the user and
> then accesses a copy of the ofBiz user login table to compare passwords for
> login validation.  I have the .NET code creating a SHA-1 password hash but
> it does not compare properly to the encrypted passwords in ofBiz.  I wrote
> some test Java code and determined that it's version of SHA-1 is the same as
> the .NET version hash.  So it looks like a salt is being used but none of
> the ofBiz developers where I work can point out how to find the salt value
> or help me with this.  I have looked through the login code and it looks
> like a straight SHA-1 hash using MessageDigest.  But then the hashed
> passwords should match but they don't.
> 
> Can someone tell me what (and where) the salt value is that is being used? 
> Or if I'm missing something here what it is?  And possibly point me to where
> in the documentation this is covered (if it is)?
> 
> Thanks!
> 
>   - Grant
> -- 
> View this message in context: http://ofbiz.135035.n4.nabble.com/Comparing-ofBiz-Hashed-Passwords-in-NET-tp2280296p2280296.html
> Sent from the OFBiz - Dev mailing list archive at Nabble.com.

Re: Comparing ofBiz Hashed Passwords in .NET

Posted by Adam Heath <do...@brainfood.com>.

CGrantAnderson wrote:
> I am working on an application that wants to leverage the ofBiz user logins
> to allow ofBiz users to automatically logon to another application developed
> in .NET ASP.NET.  The ASP.NET application gets a login from the user and
> then accesses a copy of the ofBiz user login table to compare passwords for
> login validation.  I have the .NET code creating a SHA-1 password hash but
> it does not compare properly to the encrypted passwords in ofBiz.  I wrote
> some test Java code and determined that it's version of SHA-1 is the same as
> the .NET version hash.  So it looks like a salt is being used but none of
> the ofBiz developers where I work can point out how to find the salt value
> or help me with this.  I have looked through the login code and it looks
> like a straight SHA-1 hash using MessageDigest.  But then the hashed
> passwords should match but they don't.
> 
> Can someone tell me what (and where) the salt value is that is being used? 
> Or if I'm missing something here what it is?  And possibly point me to where
> in the documentation this is covered (if it is)?

There is no salt in ofbiz passwords.

I have a patch that adds support for it, that is compatible with unix
crypt(3).