Lucee Admin password encryption algorithm

Steven_Durette · January 7, 2021, 9:38pm

I am trying to get a confirmation on this… What encryption algorithm is used to encrypt the Lucee admin password? One place I’ve found states that it is blowfish, but I also found this link ( How to encrypt passwords - dev / support - Lucee Dev) that makes it look like it is SHA256.

I need a definitive answer on this because if I am to use Lucee in our company, we have rules about not using blowfish and I would have to get an exception if possible. I have seen that the db passwords are encrypted with blowfish but that is a non issue because we load the db passwords at run time and they never get encrypted into the xml files.

Thanks,
Steve Durette

Zackster · January 12, 2021, 5:37pm

the admin password is encrypted using SHA-256, with five iterations

github.com

bdw429s/Lucee-password-util/blob/master/models/PasswordManager.cfc

component singleton {

        // Salts from the Lucee or Railo java source
        variables.administratorSalt = 'tpwisgh';
        variables.dataSourceSalt = 'sdfsdfs';

        // Administrator passwords (server and web)
        
		// Use this for pw and default-pw.
        public string function hashAdministrator(required string pass, string salt='') {

				// If this is a salted hash, append the salt
				if( len( arguments.salt) ) {
					arguments.pass &= ':' & arguments.salt;
				}
				
                MessageDigest = createObject('java','java.security.MessageDigest');

                for(i=1; i<=5; i++) {
                        md = MessageDigest.getInstance('SHA-256');

This file has been truncated. show original

Steven_Durette · January 13, 2021, 3:20pm

Thank you so much