System admins, It is possible to protect your user’s password in Adempiere380, it needs your action.

Today morning one of my friend contacted me to raise his concerned after watching Red1 ( http://youtu.be/Eo0ufA1BY8Y) video about how to gain access to SuperUser account in case of system administrator has  not taken enough care to disable GardenWorld tenant or taken enough steps to change password of default users.

Even though that is done, Aempiere370 has security flow where user were able to watch password of other users by the way demonstrated by Red1. This was reported year back with iDempiere and issue was fixed in release1.0 of iDempiere. Adempiere380 has solution to this issue. But System admin need to take action.

Though Adempiere has not disabled “Value Preference” and “Editor” option, Paul Bowden from Adaxa’s contribution  for password hash (http://sourceforge.net/p/adempiere/contributions/212/)  will helps to mitigate this risk. After upgrading your adempiere to 380, Please follow below steps.

1. Login as System Admin

2. Look for the process named “Hash Passwords” or “Convert passwords to hashes”

Run this process, and your users passwords are now protected.

Now login as any user, try to look password of other users, you will see hashes instead of actual passwords as shown in bellow image.

Special thanks to Red1 for creating video and inspiring me to write this blog and Adaxa for contributing password hashes without which it was not possible to fix this issue.

With Regards,

Deepak Pansheriya