Password hashing and authentication
UNICOM Intelligence Interviewer - Server Admin
When encrypting and authenticating passwords, UNICOM Intelligence Interviewer - Server Admin authentication information is used together with Microsoft recommendations for .Net applications.
Passwords are encrypted using the SHA-2 hashing algorithm, and are then stored as 44-bit nvarchar strings in the Users table of the mrUserData database. The hashing key/salt used in the encryption is nonconfigurable, and encryption is one-way.
There is no limit on the password length apart from the limits imposed by the size of the Password field in the database.
When UNICOM Intelligence Interviewer - Server Admin receives an authentication request, it hashes the password supplied by the user and compares the result with the stored value. If the two match, the user is granted access to UNICOM Intelligence Interviewer - Server Admin.
The rules for passwords are as follows:
▪Must be at least eight characters in length.
▪Must contain a mix of alphanumeric and non-alphanumeric characters (punctuation or special characters), or a combination of at least two types of non-alphanumeric characters.
▪Cannot contain user ID information (the default setting).
▪Must be changed every 90 days (the default setting).
▪Can only be changed once every 24 hours.
▪Cannot be reused for at least eight password iterations (the default setting).
▪The MustChangePasswordAtNextLogin value should be set to True for newly imported users or when the password is reset by the administrator.
Password definitions apply only to new accounts that are created by the import process. Passwords are never changed or removed for existing users even if the password column contains a value. However, when the MustChangePasswordAtNextLogin is set to True for existing users in the Excel spreadsheet, those users must change their passwords the next time they login. Typically users cannot change their password unless they have administrator authority; when MustChangePasswordAtNextLogin is set to True, users can change their password regardless of administrator status. By default, all imported users are required to change their passwords at next login.
UNICOM Intelligence Interviewer - Server Admin
Authentication of interview participants is normally done using a plain text look-up in the appropriate table of the sample database, but this can be configured for each project. Depending on your application, some projects might accept anonymous participants whereas others might need to identify each participant at the start of the interview.
The interview authentication process can be customized by the sample management script. You can specify a particular cryptographic hash for password verification as long as the operating system or a third party component can perform the hashing.
For new installations, the SHA-2 hash function algorithm is used; for upgrade installations, the following rules apply:
▪All existing user information from the previous version is upgraded in the following steps:
▪The original, encrypted user passwords are archived to a setup log file.
▪New user passwords are randomly assigned and saved to a setup log file. The log file is located at:
C:\Program Files\Common Files\IBM\SPSS\DataCollection\7\Installer\NewPassword.log
▪Server Admin administrators can supply users these new, temporary passwords in a manner that is in accordance with their business practices.
▪The MustChangePasswordAtNextLogin setting is enabled, which forces users to change their passwords at next login.
See also