You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Chandresh Turakhia <ch...@bhartitelesoft.com> on 2007/02/02 07:26:38 UTC

Re: How do I decrypt passwords?

Team,

Is it worth looking at

http://www.jasypt.org/faq.html

Jasypt (Java Simplified Encryption) has released version 1.0. Jasypt allows 
the developer to add basic encryption capabilities to his/her projects with 
minimum effort, and without the need of having deep knowledge on how 
cryptography works.

Feature Overview:
* It follows the RSA standards for Password-Based Cryptography.
* It is completely thread-safe.
* Can be both used in an "easy" way, with almost no difficulty, or in a 
highly-configurable, power-user way.
* It provides comprehensive guides and javadoc documentation, to allow 
developers to better understand what they are really doing to their data.
* It provides a Hibernate integration add-on (jasypt-hibernate) for 
persisting fields of your mapped entities in an encrypted manner. Encryption 
of fields is defined in the Hibernate mapping files, and it remains 
transparent for the rest of the application (useful for sensitive personal 
data, databases with many read-enabled users...)
* It can be perfectly integrated into a Spring application. All the 
digesters and encryptors in jasypt are designed to be easily used 
(instantiated, dependency-injected...) from an IoC container like Spring. 
And, because of it being thread-safe, they can be used without worries in a 
singleton-oriented environment like Spring.
* It allows a very high lever of configurability: The developer can 
implement tricks like instructing an "encryptor" to ask a, for example, 
remote HTTPS server for the password to be used for encryption.

----- Original Message ----- 
From: "Chandresh Turakhia" <ch...@bhartitelesoft.com>
To: <an...@sykesdevelopment.com>; <de...@ofbiz.apache.org>; 
<ds...@rippe.com>
Sent: Thursday, January 25, 2007 3:03 AM
Subject: Re: How do I decrypt passwords?


Andrew & Drew,

 May I bring to light an different aspect of password generation :

        It generates the **same**  "encrypted password" every time. e.g 
"test" may generate "XYXQ1111" . for the next test as password it will also 
generate "XYXQ1111".

        I needed to stop user from registering with standard passwords like 
"test" ; "test123" ; "bharti" etc.  All I had to do is run  the program 
which checks for these "standard generated passwords"  and check with 
"generated user entered password" in batch or online. It case string matches 
, stop him from completing the process.  I admit it was really dirty hack.

        This is debatable issues - It is feature or bug :)    Ofbiz being 
Open source ; it has far more implication.

         Can password generation be parameterized so the generated password 
is different.

Chand


----- Original Message ----- 
From: "Andrew Sykes" <an...@sykesdevelopment.com>
To: <de...@ofbiz.apache.org>
Sent: Wednesday, January 24, 2007 8:08 AM
Subject: Re: How do I decrypt passwords?


> Drew,
>
> I believe the encryption is asynchronous, i.e. not reversible.
>
> - Andrew
>
> On Wed, 2007-01-24 at 10:33 -0500, Stephens, Drew wrote:
>> I have a question about decrypting passwords from the User_Login table.
>> We need to prepare a file of User ID and passwords to an external
>> system, I think I have found the programming used to encrypt and save
>> the password to the database but I could find not any logic to decrypt
>> the password.  Obviously, if we can't decrypt we can't provide the
>> password.  I don't want to reverse engineer the encryption logic and
>> then write a new decryption logic; I want to use something that already
>> exists.
>>
>> We are running an old version of OFBIZ, I think 1.1 but I don't remember
>> exactly how to find out for sure.
>>
>> Thanks for any help you can provide.
>>
>>
>> Drew Stephens
>> Rippe & Kingston Systems, Inc.
>> dstephens@rippe.com
>> Phone: (513) 977-4573
>>
>> Visit us at: www.rippe.com
>>
>> 1077 Celestial Street, Cincinnati, Ohio 45202-1696
>>
>> ========================================================================
>> =======
>>
>>
> -- 
> Kind Regards
> Andrew Sykes <an...@sykesdevelopment.com>
> Sykes Development Ltd
> http://www.sykesdevelopment.com
>
>