Reputation: 3584
password change/edit in grails acl
I used grails acl security. I wanted to change or edit password of a user after logging as an admin. But when i go to the edit mode, then the password field is showing the encrypted text that was saved before as encrypted string in user table. Is there any way to decrypt the string fetched from database and show in original string form in the password field?
I did not get any straight solution to do this in grails acl.
Any help would be appreciated.
Upvotes: 1
Views: 256
Answers (3)
Reputation: 3584
I haven't decrypted or d-hashed the password but added a new page to change password for a user. in workflow i did as follows:
1. while creating a user, new hashed password is created
2. while edit, all other desired information are allowed to edit except password (but password is showing in hashed dotted mode for security).
3. added a new link named 'change password' in the user list beside each user
4. finally in the newly created 'changePassword' page, i have assigned another new password with hash operation for the particular user
Upvotes: 0
Reputation: 75671
There aren't very good reasons to display the cleartext password. As the user or an admin, if you want to change the password then you do it like any other property. Display the old value (either as * characters since it's a password or possibly the hashed value if you are an admin) and then you can enter a new password. This will get hashed and stored when you update.
As long as the cleartext password satisfies the validation requirements (minimum length, special chars, etc.) then the update should work fine.
Note that passwords are generally not encrypted (which implies that they can be decrypted) but hashed. Hash algorithms are lossy - given any input the hash is typically a fixed length output, so it cannot contain all of the original data and can't be used to retrieve the original value. For passwords this is fine. To authenticate, you don't de-hash the stored value and compare to the cleartext value from the login page - you hash the login page value and compare to the stored hash. With some algorithms they'll be the same, and others (e.g. bcrypt) they'll be different but equivalent, and the algorithm will have a way to check that they're equivalent.
Upvotes: 3
Reputation: 1749
No it is impossible to decrypt the password . It is bad idea to show password to user in edit mode. Its violet the security law. You can change a user's password but can not see it.
Upvotes: 2
Related Questions
- in grails 3, with command objects, how do you NOT update say password field?
- howto encrypt passwords in configuration files, grails [and java]
- How do I programmatically change a user's password as an admin using Grails Spring Security?
- Grails and spring security core plugin - editing user
- Basic Password Hashing Grails
- Grails modify Spring Security plugin
- How to edit user (even password) with SpringSecurity Core and UI in grails
- encrypting a password value in gsp
- Updating spring security user's password field?
- Grails password change: Allow only "new" passwords