> When validating a user, we hash the password they give us and compare to the hashed > password we have stored. We cannot take the hashed password and regenerate the > original password.
Hashes don’t change because you copy it. -John On Mon, Jan 6, 2014 at 1:54 AM, Jean-Louis Halleux <[email protected]>wrote: > Hello Doug, > > I have then a question if you cannot decrypt a password: how can you > export data from the user form (including the password field), and then > import it to another server (with the password field) ? I tried it a long > time ago, and it used to work: users had access to the new server. > > Best regards, > > Jean-Louis Halleux > [email protected] > > > > On 02 Jan 2014, at 18:35, "Mueller, Doug" <[email protected]> wrote: > > > Several comments on this thread. > > > > First... > > > > There is no way to get a user's current password. PERIOD. It is not > possible. We > > in fact do not ever store the user's password in our system. We store a > one-way > > hashed copy of the password. > > > > When validating a user, we hash the password they give us and compare to > the hashed > > password we have stored. We cannot take the hashed password and > regenerate the > > original password. > > > > This is the most secure method for handling passwords in the system. > And, no one, > > not even an Administrator, can ever get the password that a user has > defined. > > > > This is important because users generally use the same password for many > things so > > if you could reverse engineer their password you could gain access to > other things > > that that user has access to. This is not possible with the strategy we > use. > > > > Now, on to the question about wanting to verify a user..... > > > > If you are coming in from a client or from workflow and you are the user > and you > > want the user to verify their own password, the > Application-Confirm-Password > > operation will work. NOTE that this is verifying the password of the > CURRENT user > > session. There is no ability for one user to use this command to verify > the > > password of another user. > > > > If you are coming in from an API program, simply issue a call like > ARVerifyUser > > and supply the user name and password (and authentication information if > that is > > required) and validate the user. If you want to run the program as a > different > > user than the user whose password you are changing, just use different > control > > records for the program and the call to the ARVerifyUser (remember to > terminate > > both sessions). This will validate the password for the user as you are > logging > > them into the system. > > > > Note that if using external authentication, your password is not in the > AR System > > at all so you likely should be changing it through another mechanism > supplied by > > the external source. If you are using external authentication directly, > you can > > still validate a users password using the above techniques. > > > > Now, if using SSO, there is another layer going on. The AR System NEVER > sees the > > user's password at all. That is intercepted at the SSO level. So, > there is no > > way to validate the user's password through the AR System if using SSO > (unless of > > course you write a custom interface to wherever SSO is validating things > and you > > pass through that custom logic. > > > > > > I hope this is helpful in solving your situation. > > > > Doug Mueller > > > > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of Kulkarni, Adhwari > > Sent: Thursday, January 02, 2014 1:06 AM > > To: [email protected] > > Subject: Re: Decrypt AR User password > > > > Hi James, > > If you want to validate a user and change its password using API, you > can simply create an instance of ARServerUser (Changes as per C/Java code) > and pass the username and password that the user has entered. > > By just trying to do a .login(), you should be able to check if it’s a > valid user or not. Also, you can use the setPassword() method to change the > password. > > Also, you should not pass the passwords from field ID 102 to the APIs. > The password passed through field 102 is hashed and not encrypted. If you > need to confirm the password, pass it through field ID 123. > > > > Regards, > > Adhwari > > The opinions, statements, and/or suggested courses of action expressed > in this E-mail do not necessarily reflect those of BMC Software, Inc. > > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) [mailto: > [email protected]] On Behalf Of James Smith > > Sent: 01 January 2014 19:35 > > To: [email protected] > > Subject: Re: Decrypt AR User password > > > > Thanks LJ Longwing > > > > I tried executeSpecialCommand as well but its generating same exception. > > > > I saw a new method - ExecuteProcessForActiveLink but I need to pass the > activelink name as an argument for this method. > > > > It seems there is no way to validate users password. > > > > Happy New Year. > > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the > Answers Are, and have been for 20 years" > > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the > Answers Are, and have been for 20 years" > > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > > "Where the Answers Are, and have been for 20 years" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > -- *John Sundberg* Kinetic Data, Inc. "Your Business. Your Process." Save the date! *KEG14* February 24-25, 2014 *For more information, click here * - KEG<http://www.kineticdata.com/Events/KEG.html> 651-556-0930 I [email protected] www.kineticdata.com I community.kineticdata.com _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
