THE BPD Blog

From blogs to case studies to news, we love sharing our tips and tricks for asset management, cloud, IoT and smarter operations.

by | Jun 29, 2017

Insecure Maximo – Password Security

No, this blog isn’t about Maximo’s lack of self-confidence! It is a post highlighting the lax security surrounding the way passwords are stored as standard at the database layer.

When you log into Maximo you must enter your username and password. Maximo then validates that you have entered a valid username and password. It does this by checking the credentials you enter on the login screen against the credentials stored in its database. It is here in the database layer where its vulnerability lies.
The database stores the username and password in a table called MAXUSER. The username is stored as plain text e.g. “Chris.Brown” and the password is stored as a CryptoX value e.g. “10FE6F4650B2ACB49A2121D7E6133E64”. The stored password looks nothing like the password entered by the user, in this case “Password123”. It is bad practice to allow a system administrator (or someone who shouldn’t be looking) to see every user’s password, and so they are encrypted before they are stored in the database.
IBM’s Technical page which discusses CryptoX can be found here. It is worth a read before continuing reading this article…
It describes CryptoX as one-way encryption which is used to store passwords in an encrypted format (i.e. it cannot be decrypted or displayed).  This is true as far as CryptoX is concerned. You cannot decrypt the password using the CryptoX field type or Maximo APIs. The problem is this isn’t a true one-way encryption and can be reversed with relative ease.  Under the surface, the password is encrypted using a well-known encryption algorithm called DESede (also known as Triple DES). I won’t go into depth around the algorithm but further details of DESede can be found here.
DESede requires some settings given to it before it encrypts data, almost like a password protecting passwords! It also requires the exact same settings to decrypt a password. We can assume that if someone has gained access to a Database to extract usernames and passwords, then they will also possess the skills to extract the rest of the data needed to reverse the Password Encryption.
There are regularly cases in the news about websites being breached and passwords being stolen. There are two categories that these stories fall under. 9 out of 10 times the passwords are stored securely as “hashed and salted” data and the hacker only has access to a scrambled password. 1 in every 10 times the passwords are simply encrypted and can be decrypted. You might add time and annoyance to a malicious user but ultimately, they find out. Maximo falls into the latter category.
It is safe to assume that some Maximo users will use the same password on their network accounts and personal accounts as their Maximo account. In this scenario, malicious users will have full access to the network. There are a few options available to patch this security issue:

  1. First, you can customise the Key and the Padding used by the DESede encryption algorithm by setting the Maximo System Properties mxe.security.cryptox.key and mxe.security.cryptox.padding . This is detailed on the same IBM page as the CryptoX field type. This will encrypt the passwords differently to standard Maximo which uses a default Key and Padding. This makes it more difficult for a malicious user trying to decrypt the password. However, they will only need to check those System Properties and change their decryption algorithm to accept those modified properties in order to decrypt the passwords.
  2. Secondly, you can remove the responsibility of password storage from Maximo completely by setting Maximo up to authenticate using Active Directory or WebSphere’s Directory Server. This will then store the passwords outside of Maximo using approved and secure methods known as Hashing. You can read up on hashed passwords here.
  3. BPD Zenith can customise the Password Storage mechanism in Maximo to Salt and Hash the passwords before they are stored in the database making Maximo secure. If you are interested in this solution, please get in touch.

In summary, Option 1 is a Sticky Plaster at best and will gain you time only. Options 2 or 3 will give you security and protect your passwords from prying eyes.
So maybe Maximo does have something to be insecure about after all! If you are concerned about your password security, we can help.

Chris Brown

Chris Brown

As an Engineer, Chris is one of BPD Zenith’s most experienced developers. With over 10 years of in-depth technical experience, Chris is the most certified member of the UK team, specialising in Maximo versions 4 to 7.6, Tivoli Process Automation Engine, DB2, SQL Server and Oracle DBA. Chris can develop custom applications and extend the functionality of standard Maximo applications using both the Maximo Application Designer and the Java programming language to meet client requirements. He is knowledgeable in developing custom reports and modifying existing reports using both Actuate and BIRT report designers.

0 Comments

2020 Wrap Up by APAC CEO Graeme Sharp

2020 Wrap Up by APAC CEO Graeme Sharp

As the year 2020 draws to a close, it’s important to reflect on what has transpired in this tumultuous year and take forward any lessons learnt into the future. Who would have thought in December 2019 that a global pandemic would sweep the world, disrupting economies...

A 2020 message from ANZ Managing Director Mark Michael

A 2020 message from ANZ Managing Director Mark Michael

This has certainly been a year like no other. For many of us COVID19 has been a time of significant loss, some will endure the mourning of loved ones, some will have experienced separation from those we care about and there have been endless opportunities lost to...

Maximo Integration and custom endpoint for token retrieval

Maximo Integration and custom endpoint for token retrieval

Maximo Endpoints are used for outbound integration. When we trigger integration in Maximo, publish channel with associated object structure create a message and store it in an outbound queue. Cron task for the outbound queue invokes the endpoint which routes outbound...

Single Sign On (SSO) in Maximo

Single Sign On (SSO) in Maximo

As our work environments become more and more digitized, end users express a greater need to access software systems quickly and efficiently. Single Sign On (SSO) has been introduced to reduce the complexity for end users by enabling them to log in to multiple...

Sign up to our free newsletter to explore emerging technologies, industry events and Maximo best practice.

Come with BPD Zenith to the future of Asset Management

Listen to your assets!

Most companies are aware of waste in their preventative maintenance efforts, but aren’t quite sure how to eliminate it.