How/where are the "internal user" passwords stored?

KB Home   |   How/where are the "internal user" passwords stored?

Main.InternalUserSecurity History

Hide minor edits - Show changes to output

April 12, 2016, at 12:03 PM by 109.147.66.152 -
Changed line 5 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with security best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].  This use of a secure one-way hash ensures that users' passwords are kept private even if someone has access to the PaperCut database.
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with security best practice - a [[http://en.wikipedia.org/wiki/Bcrypt|BCrypt]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].  This use of a secure one-way hash ensures that users' passwords are kept private even if someone has access to the PaperCut database.
Changed lines 5-6 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with security best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].  This use of a secure one-way hash ensures that users' passwords are kept private even if someone has access to the PaperCut database.
Changed lines 9-10 from:
A: The password used for external users (e.g. Domain users) are not stored or cached.  Password validation for external users are done with a real-time lookup/query via the domain controller.
to:
A: The password used for external users (e.g. LDAP or Active Directory) are never stored or cached.  All password validation for external users are done with a real-time lookup/query to the external system. 
Added lines 12-13:
''Categories:'' [[Category.Security|+]]
----
Changed lines 5-6 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_(cryptography)|salt]].
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
Changed line 12 from:
[-keywords: security, password storage-]
to:
[-Keywords: security, password storage-]
Changed lines 5-6 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_(cryptography)|salt]].
Added lines 9-10:
A: The password used for external users (e.g. Domain users) are not stored or cached.  Password validation for external users are done with a real-time lookup/query via the domain controller.
Changed lines 5-10 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].

A: This same security policy applies to the in-built admin password.

----
[-keywords: security, password storage-]
Changed line 5 from:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an MD5 sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
to:
A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an [[http://en.wikipedia.org/wiki/MD5|MD5]] sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].
Changed lines 1-2 from:
(:title How/where are the "internal users" passwords stored?:)
to:
(:title How/where are the "internal user" passwords stored?:)
Added lines 1-5:
(:title How/where are the "internal users" passwords stored?:)

Q: I wish to use the [[https://www.papercut.com/products/ng/manual/ch-guest-users.html|internal users]] feature but have concerns about security. How and where are the user's passwords stored?

A: All information associated with an ''internal user'' (normally used for guest user account management) is stored in the PaperCut Database.  The passwords are not stored in plain text.  Passwords are stored as a one-way hash in line with best practice - an MD5 sum factored from a combination of username + password + a [[http://en.wikipedia.org/wiki/Salt_%28cryptography%29|salt]].

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on April 12, 2016, at 12:03 PM
Printable View   |   Article History   |   Edit Article