The algorithm is MD5, you can check
"Password security — AR System ensures that passwords are always
encrypted. An MD5 hash of passwords is stored in the database, ensuring that
the system (and therefore a reader of the database) cannot retrieve passwords.
In addition, the AR System server allows you to use policies to enforce
password changes. For password policy information, see Enforcing a password policy introduction."
There are a quite a lot of MD5 password decrypters around - is there another layer of security?
It depends if it's stricly a vanilla md5 of the password or with a salt too.
An easy way to see that would be to use an "easy" password and check how it's stored in database.
1 of 1 people found this helpful
Correct me if I am wrong but hashed values are not strictly the same as encrypted values. You can unencrypt a value but a hash can only be used to ensure that values match, you can't "unencrypt" a hashed value such as an MD5 to get the original value.
Another way to phrase that is hashing is a one-way operation while encryption/decryption is a two-way operation. Since passwords are stored as hashed values you can't get the original value from them. You may find MD5 "decryption" tools on the Internet but from what I have seen they are just very large databases to use what is basically a dictionary attack on your hashed value.
I looked in the "User" form and it doesn't like it's "just" a MD5 hashed password.
The documentation at the following link applies to the DB password encryption because of the need to decrypt it so AR can use it to access the database. The MD5 hash does not apply in this case.
Bob that article reads to me like it is only for client (WUT or mid-tier server) to application server communications to protect the data in-flight. Luis's link I believe involves how user account passwords are stored in Remedy so that's still not really what Wallace was asking. I am not sure where to find the information he asked about which is how ARS encrypts its own DB password (as entered by an admin in the Server Info form) to store it in the config file.
Yes, I agree the article reads that way. I was just pointing out that it does apply to Wallace's case even though it does not say it. There is no explicit description of the DB password case in the documentation that I know of. It appears that case was missed.
Yes Bob & Rick (Thanks for stating that),
My question is specific to the password stored in the ar.cfg/ar.conf file. Seeing that the MD5 hashing is used for everything else, the assumption would be the same applies to the file (although not explicitly stated anywhere, or at least anywhere I could find)
I guess this below link is also in context to the above topic and so just putting it as a reference.