I am facing issue while creating/updating password in grails 3.x.x Application. Whenever i try to enter any special case lets say "#" it encodes only this special character in password field.
Password value is coming from request body.
Example:
Real password : abc#555
Auto Encoded password : abc%40555
Grails by default uses a plugin that uses bcrypt algorithm to hash passwords for security.There are some configurable password hashing attributes. You can customize the password plugin with the grails.plugin.springsecurity.password.algorithm attribute.
Related
I am trying to update a form where user information is diplayed which has password field.
Password is SHA256 format,When I Submit the form
Struts2 throws the below error
InterceptorMapping: [conversionError] => [org.apache.struts2.interceptor.StrutsConversionErrorInterceptor]
In case the password is not SHA256 it works all well.
Any inputs why struts2 interceptor can not understand sha256 ?
Problem Resolved there was one interceptor which whitelisted some special chars and since sha256 includes { character which was not included in the list and hence the exception
I used grails acl security. I wanted to change or edit password of a user after logging as an admin. But when i go to the edit mode, then the password field is showing the encrypted text that was saved before as encrypted string in user table. Is there any way to decrypt the string fetched from database and show in original string form in the password field?
I did not get any straight solution to do this in grails acl.
Any help would be appreciated.
There aren't very good reasons to display the cleartext password. As the user or an admin, if you want to change the password then you do it like any other property. Display the old value (either as * characters since it's a password or possibly the hashed value if you are an admin) and then you can enter a new password. This will get hashed and stored when you update.
As long as the cleartext password satisfies the validation requirements (minimum length, special chars, etc.) then the update should work fine.
Note that passwords are generally not encrypted (which implies that they can be decrypted) but hashed. Hash algorithms are lossy - given any input the hash is typically a fixed length output, so it cannot contain all of the original data and can't be used to retrieve the original value. For passwords this is fine. To authenticate, you don't de-hash the stored value and compare to the cleartext value from the login page - you hash the login page value and compare to the stored hash. With some algorithms they'll be the same, and others (e.g. bcrypt) they'll be different but equivalent, and the algorithm will have a way to check that they're equivalent.
No it is impossible to decrypt the password . It is bad idea to show password to user in edit mode. Its violet the security law. You can change a user's password but can not see it.
I haven't decrypted or d-hashed the password but added a new page to change password for a user. in workflow i did as follows:
1. while creating a user, new hashed password is created
2. while edit, all other desired information are allowed to edit except password (but password is showing in hashed dotted mode for security).
3. added a new link named 'change password' in the user list beside each user
4. finally in the newly created 'changePassword' page, i have assigned another new password with hash operation for the particular user
I am wanting to validate a password in my own controller.
Is there any way I can sent the password to spring security UI and get a return if the password validates?
You are looking for:
springSecurityService.encodePassword
If you have configured your system with salt you will need that as well. Just encode the String, and read the encoded String from your user object, and compare the two
Docs:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/single.html#6.2%20SpringSecurityService
I'm trying to write a simple ASP.Net app that allows the users to log in with their username and password. I'm using an EF database in the .NET Framework 4, coding in C#. My problem is, when the user registers their details on the registration page, their password value does not save. That textfield is a password field.
How can I save the passwords actual value in the database, but keep the textfield as password? Would I need to encrypt it? I've never done encryption, so any help would be appreciated. Thanks
You should use some cryptographic algorithm to compute the hash for password string (see Hash string in c#). Then store it as byte array or encoded string (like hex or base64) in db.
I've read a post here about password encoder, and saw this syntax:
passwordEncoder.isPasswordValid(user.password, params.password, null)
I already used this in my grails project which has bcrypt password encryption plug-in and it works well.
I'm just curious what's the third parameter for which has a null value?
thank you for sharing.
That's for passing in a salt if you use one.