THE BPD Blog

From blogs to case studies to news, we love sharing our tips and tricks for asset management, cloud, IoT and smarter operations.

by | Jun 29, 2017

Insecure Maximo – Password Security

No, this blog isn’t about Maximo’s lack of self-confidence! It is a post highlighting the lax security surrounding the way passwords are stored as standard at the database layer.

When you log into Maximo you must enter your username and password. Maximo then validates that you have entered a valid username and password. It does this by checking the credentials you enter on the login screen against the credentials stored in its database. It is here in the database layer where its vulnerability lies.
The database stores the username and password in a table called MAXUSER. The username is stored as plain text e.g. “Chris.Brown” and the password is stored as a CryptoX value e.g. “10FE6F4650B2ACB49A2121D7E6133E64”. The stored password looks nothing like the password entered by the user, in this case “Password123”. It is bad practice to allow a system administrator (or someone who shouldn’t be looking) to see every user’s password, and so they are encrypted before they are stored in the database.
IBM’s Technical page which discusses CryptoX can be found here. It is worth a read before continuing reading this article…
It describes CryptoX as one-way encryption which is used to store passwords in an encrypted format (i.e. it cannot be decrypted or displayed).  This is true as far as CryptoX is concerned. You cannot decrypt the password using the CryptoX field type or Maximo APIs. The problem is this isn’t a true one-way encryption and can be reversed with relative ease.  Under the surface, the password is encrypted using a well-known encryption algorithm called DESede (also known as Triple DES). I won’t go into depth around the algorithm but further details of DESede can be found here.
DESede requires some settings given to it before it encrypts data, almost like a password protecting passwords! It also requires the exact same settings to decrypt a password. We can assume that if someone has gained access to a Database to extract usernames and passwords, then they will also possess the skills to extract the rest of the data needed to reverse the Password Encryption.
There are regularly cases in the news about websites being breached and passwords being stolen. There are two categories that these stories fall under. 9 out of 10 times the passwords are stored securely as “hashed and salted” data and the hacker only has access to a scrambled password. 1 in every 10 times the passwords are simply encrypted and can be decrypted. You might add time and annoyance to a malicious user but ultimately, they find out. Maximo falls into the latter category.
It is safe to assume that some Maximo users will use the same password on their network accounts and personal accounts as their Maximo account. In this scenario, malicious users will have full access to the network. There are a few options available to patch this security issue:

  1. First, you can customise the Key and the Padding used by the DESede encryption algorithm by setting the Maximo System Properties mxe.security.cryptox.key and mxe.security.cryptox.padding . This is detailed on the same IBM page as the CryptoX field type. This will encrypt the passwords differently to standard Maximo which uses a default Key and Padding. This makes it more difficult for a malicious user trying to decrypt the password. However, they will only need to check those System Properties and change their decryption algorithm to accept those modified properties in order to decrypt the passwords.
  2. Secondly, you can remove the responsibility of password storage from Maximo completely by setting Maximo up to authenticate using Active Directory or WebSphere’s Directory Server. This will then store the passwords outside of Maximo using approved and secure methods known as Hashing. You can read up on hashed passwords here.
  3. BPD Zenith can customise the Password Storage mechanism in Maximo to Salt and Hash the passwords before they are stored in the database making Maximo secure. If you are interested in this solution, please get in touch.

In summary, Option 1 is a Sticky Plaster at best and will gain you time only. Options 2 or 3 will give you security and protect your passwords from prying eyes.
So maybe Maximo does have something to be insecure about after all! If you are concerned about your password security, we can help.

Chris Brown

Chris Brown

As an Engineer, Chris is one of BPD Zenith’s most experienced developers. With over 10 years of in-depth technical experience, Chris is the most certified member of the UK team, specialising in Maximo versions 4 to 7.6, Tivoli Process Automation Engine, DB2, SQL Server and Oracle DBA. Chris can develop custom applications and extend the functionality of standard Maximo applications using both the Maximo Application Designer and the Java programming language to meet client requirements. He is knowledgeable in developing custom reports and modifying existing reports using both Actuate and BIRT report designers.

0 Comments

Introduction to the Work Execution Work Center

Introduction to the Work Execution Work Center

Work Execution Work Center This blog will provide a quick overview and use case of the Work Execution Inventory Work Center. This is part of a series of blogs looking at Work Center functionality and our experience in implementing them.  Maximo Work Centers are...

IBM Maximo Anywhere 7.6.4 and its features

IBM Maximo Anywhere 7.6.4 and its features

IBM® Maximo Anywhere is a next-generation mobile application platform that enables users to securely access IBM Maximo® Asset Management functionality from a mobile device. Maximo Anywhere 7.6.4 Maximo Anywhere 7.6.4 provides a suite of connected and disconnected...

Introduction to the Manage Inventory Work Center

Introduction to the Manage Inventory Work Center

Manage Inventory Work Center This blog will provide a quick overview and use case of the Maximo Manage Inventory Work Center. This is part of a series of blogs looking at Work Center functionality and our experience in implementing them.  The Manage Inventory Work...

Introduction to the Business Analysis Work Center

Introduction to the Business Analysis Work Center

Business Analysis Work Center This blog will provide a quick overview and use case of the Maximo Business Analysis Work Center. This is part of a series of blogs looking at Work Center functionality and our experience in implementing them.  The Business Analysis Work...

A Quantum Leap of Faith. Distance your competitors!

A Quantum Leap of Faith. Distance your competitors!

All around the globe, asset intensive businesses are facing challenges on multiple fronts. Aging workforces, digitization, cloud computing, infrastructure updates, asset replacements, increased customer service demands, health and safety requirements… the list goes on...

Sign up to our free newsletter to explore emerging technologies, industry events and Maximo best practice.

Come with BPD Zenith to the future of Asset Management

Listen to your assets!

Most companies are aware of waste in their preventative maintenance efforts, but aren’t quite sure how to eliminate it.