4 Replies Latest reply on May 11, 2014 7:02 AM by eonita

    SolarWinds Password Security

    djobrien

      How are passwords stored in the Orion database? I know they are not clear text but are they encrypted or hashed and if so with what algorithms?

        • Re: SolarWinds Password Security
          Peter.Cooper

          Newer (non legacy) installs of the Orion platform have the database-stored credentials encrypted/decrypted via PKI (see the details of the SolarWinds-Orion certificate). This certificate is shared among the primary poller and all scalability engines. Orion accounts use a salted hash (SHA512), where each account has its own hash. The algorithms are FIPS complaint.

            • Re: SolarWinds Password Security
              eonita

              Hi Peter.Cooper do you know how to decrypt the Orion account password? Thanks!

                • Re: SolarWinds Password Security
                  Peter.Cooper

                  I've referred to the orion account password being hashed, which means we can't decrypt the password.

                   

                  Imagine an algorithm where we separate every character of your password and add them up. Next, we store that result in the database, perform the same task every time you log in, and check for equality. That would mean that we don't actually store the password. Now imagine that the algorithm used (add them up) is cryptographically strong and fine for use in military applications. The only way to fetch your original password is with a rainbow table (where somebody has done that algorithm against common passwords and their variants)... that could yield your original password. Except, that we added some extra data (salt) into the mix which means that the rainbow tables aren't logically usable.

                   

                  On occasion, I have locked myself out of Orion. When that happens, I have used Microsoft SQL Studio to overwrite the two columns relating to password with values from another database's account where I know the password. Does that help?