Overview of the new One-way Hashing password management mode in WorkflowGen 6.1 and later


#1

Note: This applies to WorkflowGen version 6.1 and later only.

The WorkflowGen 6.1 upgrade keeps the password management mode set to Version 5, as in previous versions of WorkflowGen.

However, if you change the password management mode to One-way Hashing (SHA256), passwords are no longer encrypted in the database. Instead, the database stores hashed passwords, and so it is impossible to decrypt or retrieve user passwords.

When a user first connects to WorkflowGen after the password management mode has been changed to One-way Hashing, WorkflowGen will automatically convert the user’s password to One-way Hashing (SHA256) mode.

If you change the password management mode back to Version 5, you must then reinitialize the passwords for all user accounts for which the mode was changed to One-way Hashing (SHA256).

If you have a custom HTTP module or Login.aspx authentication web form that verifies WorkflowGen passwords, implement the following code in your solution to authenticate users:

string passwordFromRequest = Request["password"]; 
// Get the user password sent from HTTP request string passwordFromDB = ... 
// USERS.PASSWORD string saltFromDB = ...
 // USERS.SALT 
if (ConfigurationManager.AppSettings["ApplicationSecurityPasswordManagementMode"] == "OWH")
{  
 return Advantys.My.Security.CryptographyHelper.EncryptSHA256( saltFromDB + passwordFromRequest ) == passwordFromDB; 
} 
else {   
 return Advantys.My.Security.CryptographyHelper.MD5Decrypt( passwordFromDB ) == passwordFromRequest; 
}

Note: A reference to the Advantys.My.Security.dll library is necessary in your solution.


#2

Advantys.My.Security.CryptographyHelper.MD5Encrypt seems deprecated and replaced by Advantys.My.Security.CryptographyHelper.Encrypt(). Is Encrypt() replacing solely MD5 (version5) or it also manage SHA256 (OWH)?


#3

Hi Kevin,

Advantys.My.Security.CryptographyHelper.MD5Encrypt/MD5Decrypt is still used by WorkflowGen internally to manage user account password in Version 5 mode but is deprecated for external public use.

If you need a method to encrypt or decrypt a string with a custom key, we recommend using Advantys.My.Security.CryptographyHelper.Encrypt/Decrypt instead. Advantys.My.Security.CryptographyHelper.Encrypt/Decrypt does not replace Advantys.My.Security.CryptographyHelper.EncryptSHA256 since they are used for differents purposes.

Regards,
Eddy.