Udai,
Wow, thanks for that in depth investigation. So at this point we cannot
easily replace a password straight in the database, which is fine. Good
thing I went with my other method.
Good to know,
Ryan
On 11/30/09 22:16, "Udai Gupta" <mailt...@gmail.com> wrote:
> Hi Rayn,
>
> I realized that password storing scheme in mifos is not just simple md5, it is
> salted md5 hash.
>
> I didn't found any example of mysql function to create salted hashes.
>
> e.g.
>
> you will see "init_mifos_password.sql" there is a query which updates the
> password field (salted md5 hash) in personnel table. The password field is a
> blob, and in query "0x226...." (salted md5 hash) is in hexadecimal format of
> 28 bytes.
>
> Dividing the password hash string in the query (from left to right)
> - 0x (used for representation of a hex numbers)
> - first 12 hexadecimal numbers (24 chars) are the salt.
> - later 16 hexadecimal numbers (32 chars) are the salted md5 hash.
>
> Now, to generate a new password the procedure will be,
>
> - create a 12 byte salt (randomized)
> - create a salted md5 hash for the password string.
>
> new password hash will be "0x + 'salt(hex format' + 'salted md5 hash
> generated'
>
> In java you can do something like this.
>
> public static void main(String[] args) throws Exception {
> String password = "123456";
> byte[] salt = new byte[12];
> new SecureRandom().nextBytes(salt);
> String saltHex = new String(Hex.encodeHex(salt));
> byte[] data = new byte[12+password.getBytes("UTF-8").length];
> System.arraycopy(salt, 0, data, 0, 12);
> System.arraycopy(password.getBytes("UTF-8"), 0, data, 12,
> password.getBytes("UTF-8").length);
> System.out.println(" PASSWORD = 0x"+saltHex.toUpperCase() +
> DigestUtils.md5Hex(data).toUpperCase());
> }
>
> for this you will need
> http://repository.jboss.org/maven2/apache-codec/commons-codec/1.2/commons-code
> c-1.2.jar
> in the build path.
>
> the output will be the hash that you need for password as it is given in
> init_mifos.password.sql.
>
>
> PS: echo password | openssl md5 is giving different result than
> DigestUtils.md5Hex(password) and 'select md5('password')'.
>
> Udai
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>
> _______________________________________________
> Mifos-users mailing list
> Mifos-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mifos-users
--
Ryan Whitney
Mifos Technical Program Manager
rwhit...@grameenfoundation.org
Mifos - Technology that Empowers Microfinance (www.mifos.org)
Our mission is to enable the poor, especially the poorest, to create a world
without poverty.
<http://grameenfoundation.org/take-action/ingenuity-fund-challenge/>
P please consider the environment before printing this e-mail.
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Mifos-users mailing list
Mifos-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-users
