For security reasons, you may want to store passwords in hashed form. This guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system. Hashing performs a one-way transformation on a password, turning the password into another String, called the hashed password. “One-way” means that it is practically impossible to go the other way - to turn the hashed password back into the original password. There are several mathematically complex hashing algorithms that fulfill these needs. By default, the Personalization module uses the MD5 algorithm to perform a one-way hash of the password value and to store it in hashed form.
The hashed password value is not encrypted before it is stored in the database. When a member attempts to log in, the Personalization module takes the supplied password, performs a similar one-way hash and compares it to the database value. If the passwords match, then login is successful.
If you do not want to use the hashing function, you can disable it by setting the passwordHasher property of the /atg/userprofiling/PropertyManager component to /atg/dynamo/security/NullPasswordHasher. Thereafter all passwords will be stored and compared in clear text. You can change the hashing algorithm used by setting the passwordHasher property to point to a PasswordHasher component that uses the appropriate hashing algorithm. ATG provides the following atg.security.PasswordHasher implementations:
Component | Description |
|---|---|
| Uses the |
| MD5-specific version of |
| A password hasher for use with the LDAP repository and the Netscape Directory Server. |
| Stores passwords unhashed. Use this if you want passwords maintained in plain text, rather than hashed. |
