Salted Password

[I.P.]

i extend my enterprise servers capabilities by own applications and i use the pc monitor logon (username/passwort) to authenticate.

i had to notice that my notification router (the app) cannot be used anymore since the passwords are salted before stored into the database. has the salting started with an update of the enterprise server? i didn't install/change something.

i need to know the salting algorithm to make that working again, i have to be able to calculate the salted-hash outside the enterprise server in my own application.

[Marius]

We cannot provide the salting algorithm but we can surely help you authenticate using your own applications.

Please email us your requirements and we will do our best to help and, if needed, extend the API to support them.

[I.P.]

my requirement is that my own application (only one by now, but it will become more) is able to authenticate against the user accounts in the pcmonitor database. at http://watch.esecure.at/nr for example you provide a username and a password and the website authenticates against the database.

i have seen a passwortSalted binary-field in the accounts table. does this mean i can choose using salted passwords or unsalted md5?

an api is only the second best solution because i want my application work stand-alone, even when the enterprise server itself stops operation. but maybe you have a good idea on that issue. my only solution by now would be to have seperate passwords for pcmonitor itself and my applications.

[I.P.]

i would like to understand the reason for the salting of the passwords in this case. salting itself is clear because then often used passwords do not appear in any md5 cracking database. it is the nature of md5 hashing that a simple change in the clear-text results in a very different hash, so just adding an "a" for example is already a good salting because it completely changes the hash.

wouldn't it be possible to use a salting-parameter (a short formula, a text extension etc...) per enterprise server and the license owner is allowed to know? this would make it possible for the operaters of enterprise servers to use own authentication methods.

[Marius]

We will add an option in the PC Monitor Admin app to use your own salting parameter. It will then be combined with your server Url to make it unique for each Enterprise Server instance.