Re: [Mifos-users] Changing user passwords from the SQL?

Mon, 30 Nov 2009 06:16:58 -0800 

Hi Rayn,

I realized that password storing scheme in mifos is not just simple md5, it
is salted md5 hash.

I didn't found any example of mysql function to create salted hashes.

e.g.

you will see "init_mifos_password.sql" there is a query which updates the
password field (salted md5 hash) in personnel table. The password field is a
blob, and in query "0x226...." (salted md5 hash) is in hexadecimal format of
28 bytes.

Dividing the password hash string in the query (from left to right)
    - 0x (used for representation of a hex numbers)
    - first 12 hexadecimal numbers (24 chars) are the salt.
    - later 16 hexadecimal numbers (32 chars) are the salted md5 hash.

Now, to generate a new password the procedure will be,

 - create a 12 byte salt (randomized)
 - create a salted md5 hash for the password string.

  new password hash will be  "0x + 'salt(hex format' + 'salted md5 hash
generated'

In java you can do something like this.

public static void main(String[] args) throws Exception {
         String password = "123456";
         byte[] salt = new byte[12];
         new SecureRandom().nextBytes(salt);
         String saltHex = new String(Hex.encodeHex(salt));
         byte[] data = new byte[12+password.getBytes("UTF-8").length];
         System.arraycopy(salt, 0, data, 0, 12);
         System.arraycopy(password.getBytes("UTF-8"), 0, data, 12,
password.getBytes("UTF-8").length);
         System.out.println(" PASSWORD = 0x"+saltHex.toUpperCase() +
DigestUtils.md5Hex(data).toUpperCase());
    }

for this you will need
http://repository.jboss.org/maven2/apache-codec/commons-codec/1.2/commons-codec-1.2.jar
in the build path.

the output will be the hash that you need for password as it is given in
init_mifos.password.sql.


PS:  echo password | openssl md5 is giving different result than
DigestUtils.md5Hex(password) and 'select md5('password')'.

Udai

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Mifos-users mailing list
Mifos-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-users

Reply via email to