One way encryption

alizaman · ‎03-28-2017

How one way encryption works in the system.

I have set the password field to one way encryption, but could still decrypt it back to plain text.

Using the GlideEncrypter();

Encrypt var kryp = new GlideEncrypter();

var krypPas = kryp.encrypt(user_password);

gr.u_password_array = krypPas; // save password to one-way password field on table

OR

There is a Pwd Change - Local ServiceNow workflow which uses another method which stores password in the user table, where password cannot be decrypted back to plain text.

But what if I want to save passwords in another table/field other than user table, so very little information on user.authenticate method is available for it to be used somewhere else.

var enc = new GlideEncrypter();

var decryptedOldPassword = '' + enc.decrypt(workflow.inputs.u_old_password);

var authed = user.authenticate(userName, decryptedOldPassword);

Thanks

Ali

Joe McCarty1 · ‎03-28-2017

One more note on this for your use case, this post seems to suggest that there is no public API to compare the hash. The only 2 places I'm aware that we do that are password reset security questions and local user passwords. But I think both of them do it in API calls that aren't Glide Scriptable methods. This post seems to confirm at least as of a couple years ago and suggests using an external javascript library to manage the hash and comparison.

Password history

Mikkel Alimoot1 · ‎03-29-2017

Hi Joe

I have tested this in my dev instance and I can see that it is possible to one-way encrypt the user password. However when I do that it is not possible for me to compare the value with earlier passwords. Is that possible in any way.

that ServiceNow is using. I just can't find anything about the method "authenticate"

Maybe by using "var authed = user.authenticate(userName, decryptedOldPassword);" that ServiceNow is using. I just can't find anything about the method "authenticate".

Joe McCarty1 · ‎03-29-2017

user.authenticate is specifically for user authentication and can't be used for comparisons on other fields. It leverages a more generic API but that is not part of the published/public API. Not sure why. I'm not aware of a published API that allows the comparison. That seems to be the experience of others in the post I referenced above. You would probably need to check with support to confirm that is still the case.

alizaman · ‎03-29-2017

Thanks Joe for such an extensive response . Actually both me and Mikkel are working on the same issue.

and it seems you are right with specify the field as encrypted without using the GlideEncrypter we can acheive the one way encryption but then we cannot read that value even in encrypted form and compare it with something else(in our case checking for last 10 passwords).

on the other hand we can use GlideEncrypter but then we can decrypt the string back to plain text.

Gaetano De Mitr · ‎10-24-2017

Hi,

but I can use in this mode:

var authed = user.authenticate(userName, passwordCriptedInServiceNow); ??How Can I get password of current logged user in Servicenow?