Can anybody tell me if the Person document is encrypting the httppassword field twice? Reason being is that I enter a password, click F9 and see the encrypted version, but then when I click Save & Close, the httppassword is re-encrypted with a totally different string. So again, my question is: is this field being encrypted twice or so? I’ve tried using both the @Password and @HashPassword commands…neither yields the result stored w/n the httppassword field of the Person document.
Thanks for the response. In either case, the password is encrypted twice (at least appears). In fact, I’m certain because I tried setting the value to something simple like “test” and saw the (63FA…) string. However, when I went to view the document again to just read, the value was then something to the effect of (G8AEE…). At first glance, I thought maybe the issue was a difference between @Password and @HashPassword, but when I looked at the design of the form. In the Translation formula the value was @Password and all this leaves me stumped.
It sounds like you’re using the “more secure internet hash format”. The (63A…) string that you see is the result of @HashPassword; the (G8AEE…) string is from @HashPassword2. There’s nothing to worry about; that is the setting that everybody who isn’t still on v4.5 (or still running apps developed against v4.5 and never updated) should be using.
Thanks for the response, but my question is: "Is there a way to programmatically control this and ensure that the two values are the same. On one hand, I am hashing the password entered from my login page using the @HashPassword function, and then trying to compare against that which exists within the Person doc within the NAB. Unfortunately, these values are not the same even though I am absolutely certain that the passwords are the same. Any ideas??? And again, thanks for the response.
… at least, I believe that is the correct name of the Lotuscript function. I normally work at a somewhat lower level, so frequently have problems remembering the names of the high-level routines.
Why do you even try to compare the passwords/hashes? Are you trying to code around Domino’s authentication system? For me, this is calling for trouble.
I’m comparing passwords as part of verifying a web user’s logon credentials to a system, as even when user’s change their passwords, I want to ensure that these passwords meet certain criteria, and last but not least keep a history of previous passwords. With that comparing the password entered against the value stored within the NAB is HIGHLY essential thank you. Oh also, these are for users who do not have notes ids, therefore applying policies will not work.
OK…not sure I agree, but back to my original question: do you know if there’s is multiple hashing going on with HTTPPasswords on Person documents w/n the NAB?
I have an application whereas I am trapping failed logon attempts. My issue is given that the value returned using the @HashPassword never returns the same value, how can I compare the password entered on my login form to that stored within the Person document given the higher security and all?
