Idea ID: 2833732

Password Encryption for Access Manager, User Login Page

Status : Declined
9 months ago

Passwords in the User Login (NIDP Page) for Access Manager are not encrypted and could be traced at proxy servers or with help of VAPT Developers Tools as plain text.

This is a major security risk and it may lead to hacking of End Users applications.  A SR was raised for the same : #101310992391, Subject - Password Encryption.

Tags:

Labels:

Other
  • Please see the discussion below. Based on the analysis, this requirement will not offer any additional protection. 

  • As Michael said, Supra encryption does not buy you much. If you have a situation where you need to ensure credentials are not compromised to the browser then you need to use something other than passwords. 

  • Hi Devinder,

    Just a reminder, Micro Focus follows the responsible disclosure process.  This means that you can send reports of vulnerabilities, or believed vulnerabilities, either in an email to security@microfocus.com or by going to this page [security@microfocus.com.

    I believe you are suggesting Supra Encryption.  This is an old security debate.  On the one hand, if you can compromise the communication channel, information can be exposed.  On the other hand, in order to do so, you would need to compromise the infrastructure. 

    We have looked at this in the past.  If a certificate can be compromised  any and all secrets can be compromised and thus Supra Encryption would not solve the problem you are describing here.  That is, if the end-user machine is compromised, depending on the skill of the compromiser and the tools available to them you will have an issue regardless of Supra Encryption. 

    ..  

    Michael