is there any way to decrypt user's password in CQ? | Community
Skip to main content
D
dharma
October 16, 2015
Solved

is there any way to decrypt user's password in CQ?

  • October 16, 2015
  • 2 replies
  • 1352 views

Hi,

we have forgot password link in app wherein we need to retrieve the original password and mail the password in plan text to the end user.

user password is stored in encrypted format in CRX (/home/users/), so is there any CQ / Sling API to decrypt the password? 

OR is there any other way to implement the forgot / reset password in app?

 

thanks.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Mateusz_Chromin

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

2 replies

M
Mateusz_ChrominAccepted solution
Level 2
October 16, 2015

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

D
dharmaAuthor
October 16, 2015

Mateusz Chrominski wrote...

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

 

Thanks Mateusz. this helps.

Terms & ConditionsAccessibility statement

Loading footer...