← Back to team overview

dhis2-devs team mailing list archive

Re: Password Generation

 

OK you asked for it ...

Ken the algorithm is contained in the attached Password.java file (its
based on what I figured out from the spring source code).  This little java
program takes the username and password as parameters and outputs the
username,password and hash as recognised by dhis2.

So if you have for example a csv file containing many, many users, then you
can incorporate a script along the lines of the attached genpass.tcl to
generate the hash codes in bulk.  Or just expand the java program to read
the csv file and possibly even write into postrgres table.  (Personally I
prefer to do do things a little bit at a time and script through psql).
 Anyway thats up to you .. the algorithm is here.

There are some security considerations.  The hash algorithm itself is not
great, but you are stuck with emulating what happens inside dhis2 so no
point tinkering with that (MD5 must seem like plaintext to the NSA
nowadays).  A more important consideration is how to generate the 45000
passwords.  I have used the makepasswd program to generate fairly cryptic
random passwords (also in a script) but users didn't like them, naturally.
 Randy initially assigned them things like password1, password2, password3
etc which is also not ideal.

I wonder is the self registration feature an option for you?  Not that
users necessarily pick good passwords anyway :-(

Regards
Bob


On 20 March 2014 07:18, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:

> I think Bob is the best source for this. I have some R scripts but the
> generated password is not always correct due to peculiar methods which
> spring uses to encrypt the passwords which elude me.
>
> --Sent from my mobile
> On Mar 20, 2014 5:46 PM, "Knut Staring" <knutst@xxxxxxxxx> wrote:
>
>> Here are some documents that Randy Wilson shared on the list - though
>> they state for  "Hashpassword: we have not yet found a quicker way to do
>> this than to send the excel file to Bob Jolliffe or Knut Staring (HISP).
>> There is a special algorithm they use to create the MD5 hash password,
>> combining the username and the assigned text password." Unfortunately I
>> don't remember exactly how I used to do it...would be good if you share a
>> how to when you figure it out...
>>
>>
>> On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering <
>> jason.p.pickering@xxxxxxxxx> wrote:
>>
>>> Hi Kenneth,
>>>
>>> You must look at the source code of DHIS2 and Spring in order to
>>> understand it. It is not a simple hash, but a salted hash depending on the
>>> username and password together. This has been previously discussed on this
>>> list, but it is most clear by analyzing the source code.
>>>
>>> Best regards,
>>> Jason
>>>
>>>
>>>
>>> On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit <
>>> kenneth.bortveit@xxxxxxxxx> wrote:
>>>
>>>> Hi.
>>>>
>>>> I am trying to generate passwords to almost 45,000 users in Rwanda.
>>>> There is no problem in generating a random sequence of characters, the
>>>> problem is storing it in a database.
>>>>
>>>> The password is stored as a hash, but I don't know which hash function
>>>> to use.
>>>>
>>>> Could anybody assist?
>>>>
>>>> -Kenneth
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Knut Staring
>> Dept. of Informatics, University of Oslo
>> +4791880522
>> http://dhis2.org
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>
package org.hisp.password;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

/**
 *
 * @author bobj
 */
public class Password {

    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) 
        throws Exception
    {
        String user = args[0];
        String password = args[1];

        System.out.println(getDHISHash(user, password));
    }
    
    protected static String getDHISHash(String user, String password)
        throws NoSuchAlgorithmException, UnsupportedEncodingException
    {
        String merged = password + "{" + user.hashCode() + "}";

        MessageDigest md = MessageDigest.getInstance("MD5");

        byte[] buf = md.digest(merged.getBytes("UTF-8"));
        String result = "";
        for (int i = 0; i < buf.length; i++) {
            result += Integer.toHexString((0x000000ff & buf[i]) | 0xffffff00).substring(6);
        }
        return result;
    }
}

Attachment: genpass.tcl
Description: Tcl script


Follow ups

References