cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - New to the community? Learn how to post a question and get help from PTC and industry experts! X

Password security through network

jlebourhis1
1-Newbie

Password security through network

Hello,

I noticed that, when you change your password with Thingworx Composer or when you logon (on an organization FormLogin page for instance) the password is send without any encryption (or simple hashing) through the network.

As you can immagine, this is a serious security issue !

Is there a way to avoid this and to have something safer thant sending an unprotected password ?

Thank you for your answers !

5 REPLIES 5

JeanBriac - I just came to ask the same question! This is not good at all.

I just did a quick search in my browser history for my ThingWorx password and found a few places in my history where it had been stored, unencrypted. This is obviously far from ideal and would really put me off using ThingWorx for any serious work...

mhollenbach
5-Regular Member
(To:dthomas1)

Dick & JeanBriac,

ThingWorx has the ability to be extended upon with a custom Authenticator that could then handle providing a secure means of authenticating with ThingWorx. Here is the link to the 7.2 Help Center on Authenticators.

Building your own custom Authenticator, with the Java Extension SDK and Eclipse Plugin, will allow you to determine how you are going to allow users into your system, and you can exercise custom code to do things such as create users at Run Time if they do not already exist in the server. The Eclipse Plugin is pretty neat and will automatically generate a class with all of the required functions you will want to use in an Authenticator extension.

Meghan

Hello Dick Thomas,

I used the PTC support about this subject and I was a bit disapointed (for the least).

Although I knew it was possible to do something like Meghan suggests, they did not even mentioned it.

The only answer I got was to use Thingworx through an https connexion (change tomcat parameters to use html frames encryption).

I told them that using https is not sufficient itself, but they maintained their position on this subject.

I did not tested it yet, but maybe that the recent active directory extension embeded in the new releases of Thingworx may be a bit more secure (I hope).

@Meghan : Thank you for your suggestion. I already knew about the Authenticator but I think that such matters should be native and not reworked by users who are not necessarily aware of all the security aspects. But this is just my opinion

Hi Meghan Hollenbach​, is there an update on this? Was this fixed in the new version?

Hello,

from what I've seen it has been fixed in the 7.2 version.

The password is being transmitted hashed and it is also the hashed password that is received.

Top Tags