When working with clients, I sometimes hear frustrations about our built-in menuing system. Specifically, some developers would prefer that we not store user passwords in plain-text format.
Below I explain a simple process to use SHA-1 to encrypt user passwords. You can learn more about SHA-1 here. Essentially, this method describes how to utilize client side logic so that when a user enters in their password for creating their account, it will be automatically converted to an encrypted string. This string will then live in the password field for the user.
The final step is to install the same client side logic into your mrcSignon2.html file so that when the user enters their password, upon clicking submit, it will be transformed into the encrypted status to verify the entry in the security file. If they are the same, the user has validated successfully. All the while, if a user went to examine the contents of the table, they would only see encrypted passwords.
Step 1 — Set up Initial Password Creation Page
Since you are unable to modify the screens within the m-Power tool, Build a maintenance application over the table SCHEMA.MRCSEC1 (This example assumes you are using the standard security tables that ship with m-Power). Once built, open m-Painter and make the following changes within the source code:
Add the following line in the head tag:
<script src="http://www.mrc-productivity.com/public/scripts/sha1-min.js" type="text/javascript"></script>
<script>
function convertSHA(e){
e = hex_sha1(e);
jQuery('#USERPASS').val(e);
}
</script>
This includes the SHA-1 conversion logic.
Lastly, add the following text inside your “form” tag:
onsubmit="convertSHA(jQuery('#USERPASS').val());"
Save.
Any accounts added via this Maintenance application will automatically encrypt user passwords via the SHA-1 method.
Step 2 — Install into mrcSignon2.html
Open the mrcSignon2.html file, and find the
<title>Sign On</title>
line. Directly after this, add the following two lines:
<script type="text/javascript" src="/mrcjava/mrcclasses/mrcjsajax.js"></script>
<script src="http://www.mrc-productivity.com/public/scripts/sha1-min.js" type="text/javascript"></script>
<script>
function convertSHA(e){
e = hex_sha1(e);
jQuery('#mrcpswd').val(e);
}
</script>
Next, insert the following line into your “form” tag:
onsubmit="convertSHA(jQuery('#mrcpswd').val());"
Lastly, replace the following line of code:
<input type="password" size="15" maxlength="50" name="mrcpswd">
with this line:
<input type="password" size="15" maxlength="50" id="mrcpswd" name="mrcpswd">
Save.
While optional, I would recommend editing your mrcSignon2.xml to add your application from Step 1 to opt-out of security (No sense of having a user log-in to create their account)
Restart Tomcat for you changes to go into effect.
In the end, users see no difference with how they log in and their passwords are much more secured as they are no longer being stored in their unencrypted state.