Expand my Community achievements bar.

SOLVED

is there any way to decrypt user's password in CQ?

Avatar

Level 1
Level 1
10/15/15 7:28:21 PM

Hi,

we have forgot password link in app wherein we need to retrieve the original password and mail the password in plan text to the end user.

user password is stored in encrypted format in CRX (/home/users/), so is there any CQ / Sling API to decrypt the password? 

OR is there any other way to implement the forgot / reset password in app?

 

thanks.

Views

907

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:28:21 PM

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

View solution in original post

Views

487

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:28:21 PM

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

Views

488

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
10/15/15 7:28:21 PM

Mateusz Chrominski wrote...

I'm not convinced but pretty sure the password is hashed/encrypted with asymetric key.

It is rarely seen and found a security flaw to be able to retrieve origin password from the value stored inside the repository. The forgotten password functionality should be implemented in following way:

  1. User sends request to reset password
  2. Application sends confirmation mail
  3. User clicks the link from mail confirming he wants to reset the password
  4. CQ generates new password, changes the user password internally and sends mail with new password

However from CRX API (http://jackrabbit.apache.org/api/2.0/org/apache/jackrabbit/api/security/user/User.html), I see that getCredentials() method can be invoked. If the returned object is an instance of SimpleCredentials you can check getPassword() method (http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html).

 

Thanks Mateusz. this helps.

Views

474

Replies

0
Sign in to like this content

Total Likes

Translate
Translate