dhis2-users team mailing list archive
-
dhis2-users team
-
Mailing list archive
-
Message #06077
Re: dhis 2.17 Password Algorithm
Hi Jason
Expanding yet further - and clearing up terminology - dhis2 does not
encrypt the password and store it. If it did, and you had the key, then
you could decrypt it. What dhis2 stores is a hash which is something
calculated from the password. These hash algorithms are designed to be as
irreversable as possible ie. you can calculate the hash from the password
(which is what happens when your password is checked when you login) but
not the password from the hash. So there is no encryption/decryption key
involved.
In general I think Lars's advice is what you should follow if you can.
Creating a bunch of user/password combinations in advance gives you two
headaches : (i) how do you generate the passwords? (ii) how do you then
securely distribute them?
Maybe the one case where you might want to create a user with a
pre-generated password is if you are trying to match credentials across
systems.
Bob
On 12 January 2015 at 11:41, Halvdan Grelland <halvdanhg@xxxxxxxxx> wrote:
> To further expand on this: bcrypt is a fully portable format which should
> allow you to generate and authenticate valid credentials using any (sane)
> implementation. Good implementations are available for most programming
> languages.
>
> Also, I might be misunderstanding you, but in reference to item #3 on your
> list: if your design requires you to decrypt password hashes (which is, as
> Jason P. suggests virtually impossible) it should probably be reconsidered.
>
> If you for some reason need to work with pre 2.17 systems there is a
> standalone implementation of the DHIS2 password hashing algo available at
> https://github.com/dhis2/dhispassword
>
>
> 2015-01-12 9:18 GMT+01:00 Jason Pickering <jason.p.pickering@xxxxxxxxx>:
>
>> Hi Jason,
>>
>> DHIS2 currently uses Bcrypt for encryption of the passwords.
>>
>> By far the easiest way achieve what you want is to create an XML (DXF2)
>> payload of the user(s) you need to create and import that into DHIS2. The
>> password in XML can be clear text,and will be encrypted by DHIS2 upon
>> import.
>>
>> Yes, users can be assigned to orgunits in this process.
>>
>> Although it is possible to decrypt the password in the DHIS2 database, it
>> could be a lengthy process requiring the password to be cracked. There is
>> no known algorithm to efficiently decrypt passwords which have been hashed
>> with Bcrypt.
>>
>> Best regards,
>> Jason Pickering
>>
>>
>>
>> On Mon, Jan 12, 2015 at 8:05 AM, Jason Phillips <jason@xxxxxxxx> wrote:
>>
>>> Hi all,
>>>
>>>
>>>
>>> A happy New Year to everyone, and may 2015 be a happy, healthy and
>>> prosperous year for us all!
>>>
>>>
>>>
>>> I know related questions have been asked in the past, but I thought this
>>> one worth asking anyway:
>>>
>>>
>>>
>>> We need to be able to add a user/password to an instance "externally" to
>>> dhis 2.x - i.e. either through PostgreSQL or by injecting a line into an
>>> .sql dump or something similar. The instance need not be running at the
>>> time.
>>>
>>> If I recall correctly, the algorithm used to encrypt the password in the
>>> Db changed at some point (I may be wrong), so for the purposes of this
>>> question assume that this applies only to versions 2.17 or higher.
>>>
>>> A couple of points come to mind:
>>>
>>>
>>>
>>> 1. What would be the best way to achieve what we need, in Oslo's
>>> opinion?
>>>
>>> 2. Can usernames be assigned to an OrgUnit at the same time?
>>>
>>> 3. Can a password be decrypted from an .sql file using the same
>>> algorithm?
>>>
>>>
>>>
>>> Many thanks and kind regards,
>>>
>>>
>>>
>>> Jason.
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-users
>>> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-users
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Jason P. Pickering
>> email: jason.p.pickering@xxxxxxxxx
>> tel:+46764147049
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References