Hi,
we have forgot password link in app wherein we need to retrieve the original password and mail the password in plan text to the end user.
user password is stored in encrypted format in CRX (/home/users/), so is there any CQ / Sling API to decrypt the password?
OR is there any other way to implement the forgot / reset password in app?
thanks.
Solved! Go to Solution.
Views
Replies
Total Likes
I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.
It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:
However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).
Views
Replies
Total Likes
I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.
It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:
However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).
Views
Replies
Total Likes
Mateusz Chrominski wrote...
I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.
It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:
User sends request to reset password
Application sends confirmation mail
User clicks the link from mail confirming he wants to reset the password
CQ generates new password, changes the user password internally and sends mail with new password
However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).
Thanks Mateusz. this helps.
Views
Replies
Total Likes
Views
Like
Replies