I have a requirement to export the list of users with the number of characters in the password. I need to this list to implement the latest password requirements in my company.
ProjectWise supports 3 user account types. For 2 of them, Windows & Identity accounts, ProjectWise doesn't store the password at all. For logical accounts the passwords should be stored as hashes, not even encrypted, a proper hash can't be reversed and so you can't tell how long the password is.
It's considered an information disclosure security issue if you could tell how long a password was, so what your asking would be bad in any authentication system. The way to ensure passwords are of a certain length is to enforce that when the password is set, not try and check afterwards.
Kevin van Haaren I did not find an option in ProjectWise to enforce passwords are of a certain length
There isn't one. This is one of the reasons I don't recommend using logical accounts for general users on ProjectWise. You also can't set password complexity or password age limits.
I've checked the database and it appears the passwords for logical accounts are being stored as either a SHA-1 hash, or an MD5 hash (this is based on the length of the hash). The one account I think is an MD5 was created in 2009 so I think Bentley switched algorithms after that and we never changed that account's password (bad Kevin).
The MD5 one can probably be found by brute force if they didn't use some kind of random salt on it. The SHA-1 ones are harder and I suspect by the time Bentley implemented that they would've added a salt. Even the MD5 one you won't have time to do a whole database of them to try and find the length of the password.
If you want to enforce a password length and don't want to use Windows accounts to enforce it, you can use Bentley's IMS system for the accounts. It's password length minimum is enforced when the password is set (minimum length is 8 characters).
Answer Verified By: Ajomon George