5 Replies Latest reply on Dec 8, 2016 3:10 AM by jlebourhis RSS
    jlebourhis Explorer

    Password security through network

    Hello,

     

    I noticed that, when you change your password with Thingworx Composer or when you logon (on an organization FormLogin page for instance) the password is send without any encryption (or simple hashing) through the network.

    As you can immagine, this is a serious security issue !

    Is there a way to avoid this and to have something safer thant sending an unprotected password ?

     

    Thank you for your answers !

      • Re: Password security through network
        dthomas Newbie

        JeanBriac - I just came to ask the same question! This is not good at all.

         

        I just did a quick search in my browser history for my ThingWorx password and found a few places in my history where it had been stored, unencrypted. This is obviously far from ideal and would really put me off using ThingWorx for any serious work...

          • Re: Password security through network
            meghan Communicator

            **** & JeanBriac,

             

            ThingWorx has the ability to be extended upon with a custom Authenticator that could then handle providing a secure means of authenticating with ThingWorx. Here is the link to the 7.2 Help Center on Authenticators.

             

            Building your own custom Authenticator, with the Java Extension SDK and Eclipse Plugin, will allow you to determine how you are going to allow users into your system, and you can exercise custom code to do things such as create users at Run Time if they do not already exist in the server. The Eclipse Plugin is pretty neat and will automatically generate a class with all of the required functions you will want to use in an Authenticator extension.

             

            Meghan

            • Re: Password security through network
              jlebourhis Explorer

              Hello **** Thomas,

               

              I used the PTC support about this subject and I was a bit disapointed (for the least).

              Although I knew it was possible to do something like Meghan suggests, they did not even mentioned it.

               

              The only answer I got was to use Thingworx through an https connexion (change tomcat parameters to use html frames encryption).

              I told them that using https is not sufficient itself, but they maintained their position on this subject.

               

              I did not tested it yet, but maybe that the recent active directory extension embeded in the new releases of Thingworx may be a bit more secure (I hope).

               

              @Meghan : Thank you for your suggestion. I already knew about the Authenticator but I think that such matters should be native and not reworked by users who are not necessarily aware of all the security aspects. But this is just my opinion