How passwords are saved in ServiceNow? Are they encrypted ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-09-2020 08:43 AM
We have a requirement to connect to Database using Data Source. DB Admins wants to confirm that the password entered via screen sharing for the user credentials are encrypted and are not saved in plain text format in servicenow.
Could you please provide the reference document which has all the details related to passwords stored in servicenow with required encryption.
Thanks in Advance !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-09-2020 09:02 AM
ServiceNow has two different password field types:
Password (1 Way Encrypted) - One-way encryption stores the password as a secure hash value that cannot be decrypted.
Password (2 Way Encrypted) - Two-way encryption stores the password as a secure encrypted value that can be decrypted programmatically within the instance.
Info pulled from here
The Password field on the Data Source table uses "Password 2" out-of-box, so it can be decrypted by anyone with admin access and the knowledge of how to do so.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-09-2020 09:05 AM
Default field type for passwords is "Password (1 Way Encrypted)". In that field ServiceNow stores only hash, which means the password can't be decrypted. For more details check out Field Types.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-02-2023 12:06 AM - edited ‎03-02-2023 12:19 AM
Dear @Nataraj Gedela
Actually, while the two answers so far are not wrong, they address different Use Cases.
The password of a local ServiceNow User is stored using the Password (1 Way Encrypted) type, as @Artem Tyndyk pointed out. This is not relevant for your Use Case, because the password cannot be retrieved. One can, however, check if a given password matches a given hash (that's what ServiceNow does when a locally authenticated User logs in).
It is actually not correctly named, because a hash function is not an encryption function (encryption implies also decryption, but a hash cannot really be decrypted. But I am nitpicking.
For your use case, only Password (2 Way Encrypted) is relevant, as the system needs to decrypt the password in order to use it.
Refer to Secrets Management (servicenow.com) and Password2 encryption with KMF (servicenow.com) for details.
Best
Daniel
If this answer was helpful, I would appreciate if you marked it as such - thanks!
Best
Daniel