How safe is password2 type field used in credentials table for Discovery?

Suggy · ‎11-27-2024

We want to implement discovery. Understood that credentials table uses password2 type field which can be easily decrypted usings scripts.

So it means its not safe to use this table? If not how to convince customer that its safe?

if its really not safe, should we use external credentials storage?

Ram Devanathan1 · ‎11-27-2024

for highest safety, best to use role-based authentication giving access to mid. that's what most of our customers do.

the 2-way encryption that you refer to is done through a secret key/decryptor, not everyone can do it - only someone with the admin rights. password2 2-way encryption is a standard approach and it gives protection. see here - https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/key-management-frame...

this is standard problem with all 'stored' passwords by the way.

Suggy · ‎11-28-2024

Hi @Ram Devanathan1

Could you please tell what exactly you meant by "role-based authentication giving access to mid"?

Can you share any docs link please.

Suggy · ‎12-02-2024

Hello @Ram Devanathan1 if you could please reply 🙂

Kathy K · ‎12-02-2024

Adding clarification on the phrase "only someone with admin rights can encrypt/decrypt" for Password2 – there is no role restriction on using PW2. If a field is available for Password2 and Key Management Framework (KMF) is enabled, the field will be encrypted/decrypted.