THE BPD Blog

From blogs to case studies to news, we love sharing our tips and tricks for asset management, cloud, IoT and smarter operations.

by | Jun 29, 2017

Insecure Maximo – Password Security

No, this blog isn’t about Maximo’s lack of self-confidence! It is a post highlighting the lax security surrounding the way passwords are stored as standard at the database layer.

When you log into Maximo you must enter your username and password. Maximo then validates that you have entered a valid username and password. It does this by checking the credentials you enter on the login screen against the credentials stored in its database. It is here in the database layer where its vulnerability lies.
The database stores the username and password in a table called MAXUSER. The username is stored as plain text e.g. “Chris.Brown” and the password is stored as a CryptoX value e.g. “10FE6F4650B2ACB49A2121D7E6133E64”. The stored password looks nothing like the password entered by the user, in this case “Password123”. It is bad practice to allow a system administrator (or someone who shouldn’t be looking) to see every user’s password, and so they are encrypted before they are stored in the database.
IBM’s Technical page which discusses CryptoX can be found here. It is worth a read before continuing reading this article…
It describes CryptoX as one-way encryption which is used to store passwords in an encrypted format (i.e. it cannot be decrypted or displayed).  This is true as far as CryptoX is concerned. You cannot decrypt the password using the CryptoX field type or Maximo APIs. The problem is this isn’t a true one-way encryption and can be reversed with relative ease.  Under the surface, the password is encrypted using a well-known encryption algorithm called DESede (also known as Triple DES). I won’t go into depth around the algorithm but further details of DESede can be found here.
DESede requires some settings given to it before it encrypts data, almost like a password protecting passwords! It also requires the exact same settings to decrypt a password. We can assume that if someone has gained access to a Database to extract usernames and passwords, then they will also possess the skills to extract the rest of the data needed to reverse the Password Encryption.
There are regularly cases in the news about websites being breached and passwords being stolen. There are two categories that these stories fall under. 9 out of 10 times the passwords are stored securely as “hashed and salted” data and the hacker only has access to a scrambled password. 1 in every 10 times the passwords are simply encrypted and can be decrypted. You might add time and annoyance to a malicious user but ultimately, they find out. Maximo falls into the latter category.
It is safe to assume that some Maximo users will use the same password on their network accounts and personal accounts as their Maximo account. In this scenario, malicious users will have full access to the network. There are a few options available to patch this security issue:

  1. First, you can customise the Key and the Padding used by the DESede encryption algorithm by setting the Maximo System Properties mxe.security.cryptox.key and mxe.security.cryptox.padding . This is detailed on the same IBM page as the CryptoX field type. This will encrypt the passwords differently to standard Maximo which uses a default Key and Padding. This makes it more difficult for a malicious user trying to decrypt the password. However, they will only need to check those System Properties and change their decryption algorithm to accept those modified properties in order to decrypt the passwords.
  2. Secondly, you can remove the responsibility of password storage from Maximo completely by setting Maximo up to authenticate using Active Directory or WebSphere’s Directory Server. This will then store the passwords outside of Maximo using approved and secure methods known as Hashing. You can read up on hashed passwords here.
  3. BPD Zenith can customise the Password Storage mechanism in Maximo to Salt and Hash the passwords before they are stored in the database making Maximo secure. If you are interested in this solution, please get in touch.

In summary, Option 1 is a Sticky Plaster at best and will gain you time only. Options 2 or 3 will give you security and protect your passwords from prying eyes.
So maybe Maximo does have something to be insecure about after all! If you are concerned about your password security, we can help.

Chris Brown

Chris Brown

As an Engineer, Chris is one of BPD Zenith’s most experienced developers. With over 10 years of in-depth technical experience, Chris is the most certified member of the UK team, specialising in Maximo versions 4 to 7.6, Tivoli Process Automation Engine, DB2, SQL Server and Oracle DBA. Chris can develop custom applications and extend the functionality of standard Maximo applications using both the Maximo Application Designer and the Java programming language to meet client requirements. He is knowledgeable in developing custom reports and modifying existing reports using both Actuate and BIRT report designers.

0 Comments

Asset Management for Net-Zero Futures

Asset Management for Net-Zero Futures

Sustainability is not a new concept and BPD Zenith have always strived to be socially responsible, however, it is a critical imperative for today’s business operations – and for the planet... There has been a shift from using digital to improve the bottom line, to...

The Hidden Value of CMMS Master Data

The Hidden Value of CMMS Master Data

Having made a significant investment in your CMMS, advances in Data analytics are prompting rethinks about the Master Data that underpins your ability to launch programs such as Asset performance management, Monitor Asset health and enhance Predictive Maintenance. A...

Meet the Team – Sourabh Jain

Meet the Team – Sourabh Jain

1. What is your position at BPD Zenith? My name is Sourabh and I’m currently a Senior Maximo Consultant at BPD Zenith, Sydney. 2. What led you to choose this career path? What alternative career path would you have chosen and why? When I was studying programming for...

Maximo 7.6 to 8.x transition

Maximo 7.6 to 8.x transition

It's challenging to keep up with technology and we understand from a customer perspective it’s much harder to keep up with consistent upgrades and technological changes. But it’s good to see Maximo journey from client server platform (MX4) to Web Application(MX6) and...

Sign up to our free newsletter to explore emerging technologies, industry events and Maximo best practice.

Come with BPD Zenith to the future of Asset Management

Partner Ecosystem

BPD Zenith partners with a diverse array of the world’s top Technology, Business and Solution Integration leaders.