change password functionality in ATG - passwords

I am working on ATG11.2 , my requirement is as below:
User will click on forgot password button, a link with encoded user id and a temporary password will be sent to email. User will click on the link sent in email and will be redirected to ResetPassword.jsp where he will get an option to fill temporary password which is sent in email, new password and confirm password respectively
I am using ForgotPasswordHandler for this implementation. I have read that forgotpasswordhandler method replaces the password property with the new generated password. Therefore m storing the input box value of temporary password in ProfileFormHandler.value.oldpassword
The values are as below:
Temporary Password :
New Password:
ConfirmPassword
But , when I am debugging handleChangePassword method in ProfileForm it is not able to compare the passwords properly. Please suggest if my approach is correct , or what do I need to override in gmethod if any required.

ATG stores passwords in encrypted format.
You need to store your oldPassword in encrypted format too. The passwords will not be equal unless both the passwords are hashed and are same.

Related

Divide combined username and password used in AUTH PLAIN to use in AUHT LOGIN to use with SMTP

I am trying to send an email through telnet using a SMTP server through Telnet
For AUTH PLAIN authentication I can use this string that is the username and password combined (ex: dGhpc0lzTXlVc2VybmFtZVRoaXNJc015UGFzc3dvcmQ=)
Now I need to use AUTH LOGIN to authenticate instead of AUTH PLAIN, which means I need the username and password separated.
My question is:
How can I "divide" this string?
Or, is there a way to find out the username and password if I authenticated through LOGIN PLAIN so that I can later use it in AUTH LOGIN?
First of all, you should use openssl instead of telnet. If you don't have the username and the password separately to start with, you base64-decode the PLAIN string, split it at the null character, and then base64-encode the username and the password separately.
The string used by AUTH PAIN is simply a combination of the username and the password encoded in base 64. To divide it, we can decode from base 64 and try to divide them
The first part of the string is the username and the second is the password

Compare hashed password vs searching for user with hashed value

Technically speaking is there any difference to these two login flows
The first:
Find user by email/username/etc.
Use a library like bcrypt to compare plain text password to hashed one
Return user if comparison true / return invalid credentials if comparison false
The second:
Hash the plain text password sent by user
Search for user by both the email and hashed password
If user found return him to the client / if user not found return invalid credentials

I want to used md5 encryption method for password field in login form instead of existing bcrypt encryption method?

I have completed login functionality using Auth middleware where is used a Bcrypt encryption method. Login functionality is works fine. But we need to handle set password functionality with having old password need to validate. But everytime Bcrypt method change the password string so the previous store bcrypt string of password in table is not match with the manually enter password in the set password form. So how to validate old password field if it will not match with existing saved passoword in the table.
$credentials = request(['email', 'password']);
$user=Auth::attempt($credentials);
You are using Laravel so you should use Hash in order to deal with passwords.
Here is all you need to know about it: https://laravel.com/docs/6.x/hashing#basic-usage
In short you can create and verify the passwords in following ways:
Create hashed password to store in DB:
$hashedPassword = Hash::make($request->password);
Verify against existing password
if (Hash::check('entered-password-by-user', $hashedPassword)) {
// The passwords match...
}
Of course dont forget to include Hash facade: use Illuminate\Support\Facades\Hash;
md5 is ancient and very vulnerable way to go if you want to hash your passwords with it. It is HIGHLY DISCOURAGED!

Itextsharp Encryption without password is not working properly

I am trying to use itextsharp writer.setEncryption method with nothing to encrypt file without password but it is setting password for some random pdf even if I have passed nothing to encrypt it.
pdf.SetEncryption(Nothing, Nothing, PdfWriter.AllowScreenReaders, PdfWriter.STRENGTH40BITS)
It is working properly.
Please have a look at the documentation of the method you used:
/** Sets the encryption options for this document. The userPassword and the
* ownerPassword can be null or have zero length. In this case the ownerPassword
* is replaced by a random string. The open permissions for the document can be
* AllowPrinting, AllowModifyContents, AllowCopy, AllowModifyAnnotations,
* AllowFillIn, AllowScreenReaders, AllowAssembly and AllowDegradedPrinting.
* The permissions can be combined by ORing them.
* #param userPassword the user password. Can be null or empty
* #param ownerPassword the owner password. Can be null or empty
* #param permissions the user permissions
* #param strength128Bits <code>true</code> for 128 bit key length, <code>false</code> for 40 bit key length
* #throws DocumentException if the document is already open
*/
virtual public void SetEncryption(byte[] userPassword, byte[] ownerPassword, int permissions, bool strength128Bits)
So if you don't give a value for the owner password, the documented behavior is that a random string is used, exactly as you observed.
Apparently you try to set the permissions of the PDF to only PdfWriter.AllowScreenReaders, but setting this permission selection is only possible for encrypted files, and for encryption a non-empty owner password is required, so iText chooses one for you.
An empty user password on the other hand is possible because in the course of its use during encryption and decryption a "default password string" is appended to the user password value anyways.
Addendum
In answer to questions in comments...
What does "is replaced by a random string" mean exactly? And in what format would that password be?
if (ownerPassword == null || ownerPassword.Length == 0)
ownerPassword = DigestAlgorithms.Digest("MD5", CreateDocumentId());
(PdfEncryption method SetupAllKeys)
where CreateDocumentId is defined like this:
public static byte[] CreateDocumentId() {
long time = DateTime.Now.Ticks + Environment.TickCount;
long mem = GC.GetTotalMemory(false);
String s = time + "+" + mem + "+" + (seq++);
byte[] b = Encoding.ASCII.GetBytes(s);
return DigestAlgorithms.Digest("MD5", b);
}
Can you still retrieve the password somehow?
The password is not explicitly stored anywhere for later retrieval. In this situation, i.e. a call for encryption using an empty owner password, it is assumed that the caller is not interested in knowing the password.
If this sounds weird to you, please be aware that for the actual encryption of document data the user password is used, not the owner password. (More exactly a value derived from the user password.) The owner password during document encryption only is used to encrypt the user password (more exactly, a value derived from it) and store that value in the PDF.
When the PDF is opened again and the user provides a password, it is tested whether it can immediately be used for document data decryption (i.e. it is the user password) or whether it can be used to decrypt the above mentioned value to the user password which then can decrypt the document (i.e. it is the owner password).
In either case the user has access to the PDF but if it was only the user password, not the owner password, the PDF processor is expected to restrict the allowed operations according to a given permissions value.
Thus, a caller not giving an owner password here is interpreted to be not interested in anyone having full access to the PDF in a specification conforming PDF processor, for restricted access the user password suffices. This has nothing to do with making the document undecryptable due to a lost password...
Would it use one of the indicated key strengths?
Well, MD5 returns a 128 bit hash but as the structure of the hashed data is well known, the password is by far not as strong as a truly random 128 bis value. On the other hand an eight character string usually also is by far not as strong as that...

Laravel 4, reset password only with token (howto check it and get user)

What is the best way to reset password only with token?
Now it mades with token and email, I want to get an email by checking tocket in reminders table.
Thanks!
Update
Resolved this by:
$email = DB::table(Config::get('auth.reminder.table'))->where('token', $token)->pluck('email');
Here's how I do password resets.
User clicks Forgot Password link and is taken to a form with one field for email.
They enter their registered email address and I check the email exists in the DB. If it does, I store a random reset code for that user using Str::random(60). I then save the user and email them a link with a reset code (eg. http://domain.com/reset/CODE).
User clicks the link and is taken to the URL above which checks the CODE. If the CODE exists in the DB, the password for the matching user is reset to something random using Str::random(10) and this new password is mailed to the user.
Not sure if this is right/wrong, but it works for me.