Password encryptions

Gidi Kern shared this question 2 years ago
Answered

Hi,


Need to answers customer security issues. Could you please answer


Is password encrypted (also at transit)?

Are passwords are both salted and hashed?


What key length are you using for encryption?


Thanks

Gidi

Comments (5)

photo
1

Hello Gidi,


Thanks for reaching out with your question. Since you didn't explicitly denote what passwords to which you refer, I'll presume you're referring to passwords used in Data Sources. Please correct me if I'm mistaken.


First and foremost, whether the password is encrypted in transit depends on your connection to your RDBMS. If you're connecting via SSL, then the connection is encrypted. If you haven't explicitly configured it as such, the authentication may be in plain text.


In regards to the passwords at rest, these are encrypted as they are stored for use with Yellowfin. Sharing specific details of our manner of encryption, however, would violate our policies and potentially put other Yellowfin clients at risk. For this reason, I cannot give specific answers to how we encrypt our passwords.


I hope this information helps!


Thanks,

Ryan

photo
1

Hi,

1. Actually both Data Source passowrds and YF passwords.

2. Supporting salted and hash password and key length is violating security policy? So I should I know what policy are you violating. We need to support level of security for our customers!


Gidi

photo
1

Hello Gidi,


1. I'm unsure as to whether we use the same method of encryption for both passwords stored in the data base and the password stored in the configuration file.

2. While supporting salted and hashed passwords and having proper key lengths does not violate security policy, publicly disclosing the methods we DO use to encrypt our passwords does. This is a request that will have to be handled by a higher authority than myself.

I've placed this for review by the Australian team to determine how best to proceed.

Thanks,

Ryan

photo
1

Hello Gidi,


I can verify that any password stored in a configuration file is encrypted using 3DES encryption.

Any passwords stored in the Yellowfin Configuration Database are hashed to prevent a comprise of data if the Configuration Database is breached. The clarification here is that these are hashed and not encrypted.

Does this address your questions?

Thanks,

Ryan

photo
1

Hi Gidi,

I'm going to mark this as Answered, as I haven't heard back from you for some time on this.

Thanks,

Ryan