No, this blog isn’t about Maximo’s lack of self-confidence! It is a post highlighting the lax security surrounding the way passwords are stored as standard at the database layer.
When you log into Maximo you must enter your username and password. Maximo then validates that you have entered a valid username and password. It does this by checking the credentials you enter on the login screen against the credentials stored in its database. It is here in the database layer where its vulnerability lies.
The database stores the username and password in a table called MAXUSER. The username is stored as plain text e.g. “Chris.Brown” and the password is stored as a CryptoX value e.g. “10FE6F4650B2ACB49A2121D7E6133E64”. The stored password looks nothing like the password entered by the user, in this case “Password123”. It is bad practice to allow a system administrator (or someone who shouldn’t be looking) to see every user’s password, and so they are encrypted before they are stored in the database.
IBM’s Technical page which discusses CryptoX can be found here. It is worth a read before continuing reading this article…
It describes CryptoX as one-way encryption which is used to store passwords in an encrypted format (i.e. it cannot be decrypted or displayed). This is true as far as CryptoX is concerned. You cannot decrypt the password using the CryptoX field type or Maximo APIs. The problem is this isn’t a true one-way encryption and can be reversed with relative ease. Under the surface, the password is encrypted using a well-known encryption algorithm called DESede (also known as Triple DES). I won’t go into depth around the algorithm but further details of DESede can be found here.
DESede requires some settings given to it before it encrypts data, almost like a password protecting passwords! It also requires the exact same settings to decrypt a password. We can assume that if someone has gained access to a Database to extract usernames and passwords, then they will also possess the skills to extract the rest of the data needed to reverse the Password Encryption.
There are regularly cases in the news about websites being breached and passwords being stolen. There are two categories that these stories fall under. 9 out of 10 times the passwords are stored securely as “hashed and salted” data and the hacker only has access to a scrambled password. 1 in every 10 times the passwords are simply encrypted and can be decrypted. You might add time and annoyance to a malicious user but ultimately, they find out. Maximo falls into the latter category.
It is safe to assume that some Maximo users will use the same password on their network accounts and personal accounts as their Maximo account. In this scenario, malicious users will have full access to the network. There are a few options available to patch this security issue:
- First, you can customise the Key and the Padding used by the DESede encryption algorithm by setting the Maximo System Properties mxe.security.cryptox.key and mxe.security.cryptox.padding . This is detailed on the same IBM page as the CryptoX field type. This will encrypt the passwords differently to standard Maximo which uses a default Key and Padding. This makes it more difficult for a malicious user trying to decrypt the password. However, they will only need to check those System Properties and change their decryption algorithm to accept those modified properties in order to decrypt the passwords.
- Secondly, you can remove the responsibility of password storage from Maximo completely by setting Maximo up to authenticate using Active Directory or WebSphere’s Directory Server. This will then store the passwords outside of Maximo using approved and secure methods known as Hashing. You can read up on hashed passwords here.
- BPD Zenith can customise the Password Storage mechanism in Maximo to Salt and Hash the passwords before they are stored in the database making Maximo secure. If you are interested in this solution, please get in touch.
In summary, Option 1 is a Sticky Plaster at best and will gain you time only. Options 2 or 3 will give you security and protect your passwords from prying eyes.
So maybe Maximo does have something to be insecure about after all! If you are concerned about your password security, we can help.