:)

Yesterday my skypemate found below CS behaviour extremely weird and asked to publish it:

API> retrieve,c,dm_user where user_source='inline password'
...
11024be980000159
API> get,c,l,user_password
...
****************
API> ?,c,select user_password from dm_user where r_object_id='11024be980000159' 
user_password   
----------------
****************
(1 row affected)

API> ?,c,select * from (select user_password from dm_user where r_object_id='11024be980000159')
user_password                                                                                                                                                                                                                                                   
-------------------------------------------------....
AAAAEFFuv1nNL7GwOdtSMsULtqfm6IAgEbbOScTIrQo8lbCei....
(1 row affected)

2 thoughts on “:)

  1. So, it is very easy to read the actual user_password property. The hard task is to decrypt it. Anyway, it would have been better to store the password hash than encrypted string. This is not just a way to discover a Documentum inline password but it could be more interesting: a 2013 study reported that over half of UK adults use the always same password to access different internet sites, so it could be an easy way for a Documentum system administrator to get an inline password and to try to use it in public web sites.

    Having said that, I am supposing that the EMC password encryption strategy is enough strong and that it is very difficult to decrypt it.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s