dhis2-users team mailing list archive

[Edward Ari Bichetero <ebichete@xxxxxxxxx>]

Hello Bob,

I hope the password hash uses a random component to 'salt' (permute) the hash in addition
to the username, not just the username itself. Otherwise, this would present a cryptographic
vulnerability into the system and any other systems where the user uses the same
username/password combination. Especially, for usernames such as "root" and "admin".


- Edward -



----- Original Message -----
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
To: Muhire Andrew <muhireandrew@xxxxxxxxx>
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
Sent: Thursday, August 30, 2012 12:22 PM
Subject: Re: [Dhis2-users] Editing Usernames

Hi Andrew

A problem with modifying the username is that the password hash is
also encoded and saved using the username as part of the hash
algorithm.  So in order to modify the username you would also need to
reenter the password in order for it to be re-encoded.  This might be
problematic - even superusers don't necessarily know the passwords of
the users.

Bob

On 30 August 2012 08:29, Muhire Andrew <muhireandrew@xxxxxxxxx> wrote:
> Hi all,
>
> Dear dhis2 Users, i would suggest in DHIS2 to give administrator/superusers
> rights for modifying the existing username. At the moment its not possible.
> I think this can be helpful in case you need to make modifications on some
> usernames without deleting the whole staff.
>
> NB: only superusers, Because other users can make it worse. since most of
> these usernames are created with central level system administration
> standards.
>
> Thanks!
>