Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Allright, thx.
2014-03-20 7:42 GMT+01:00 Jason Pickering jason.p.pickering@gmail.com:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Here are some documents that Randy Wilson shared on the list - though they state for “Hashpassword: we have not yet found a quicker way to do this than to send the excel file to Bob Jolliffe or Knut Staring (HISP). There is a special algorithm they use to create the MD5 hash password, combining the username and the assigned text password.” Unfortunately I don’t remember exactly how I used to do it…would be good if you share a how to when you figure it out…
template for importing users.xlsx (11.5 KB)
importing users into DHIS-2.docx (17.9 KB)
On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
Knut Staring
Dept. of Informatics, University of Oslo
+4791880522
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
I think Bob is the best source for this. I have some R scripts but the generated password is not always correct due to peculiar methods which spring uses to encrypt the passwords which elude me.
–Sent from my mobile
On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
Knut Staring
Dept. of Informatics, University of Oslo
+4791880522
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
OK you asked for it …
Ken the algorithm is contained in the attached Password.java file (its based on what I figured out from the spring source code). This little java program takes the username and password as parameters and outputs the username,password and hash as recognised by dhis2.
So if you have for example a csv file containing many, many users, then you can incorporate a script along the lines of the attached genpass.tcl to generate the hash codes in bulk. Or just expand the java program to read the csv file and possibly even write into postrgres table. (Personally I prefer to do do things a little bit at a time and script through psql). Anyway thats up to you … the algorithm is here.
There are some security considerations. The hash algorithm itself is not great, but you are stuck with emulating what happens inside dhis2 so no point tinkering with that (MD5 must seem like plaintext to the NSA nowadays). A more important consideration is how to generate the 45000 passwords. I have used the makepasswd program to generate fairly cryptic random passwords (also in a script) but users didn’t like them, naturally. Randy initially assigned them things like password1, password2, password3 etc which is also not ideal.
I wonder is the self registration feature an option for you? Not that users necessarily pick good passwords anyway 
Regards
Bob
Password.java (1020 Bytes)
genpass.tcl (256 Bytes)
On 20 March 2014 07:18, Jason Pickering jason.p.pickering@gmail.com wrote:
I think Bob is the best source for this. I have some R scripts but the generated password is not always correct due to peculiar methods which spring uses to encrypt the passwords which elude me.
–Sent from my mobile
On Mar 20, 2014 5:46 PM, “Knut Staring” knutst@gmail.com wrote:
Here are some documents that Randy Wilson shared on the list - though they state for “Hashpassword: we have not yet found a quicker way to do this than to send the excel file to Bob Jolliffe or Knut Staring (HISP). There is a special algorithm they use to create the MD5 hash password, combining the username and the assigned text password.” Unfortunately I don’t remember exactly how I used to do it…would be good if you share a how to when you figure it out…
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
Knut Staring
Dept. of Informatics, University of Oslo
+4791880522
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Thanks everybody 
Not really fond of registrating users with queries.
I think it will effect the reporting rates in a bad way.
I think registrating users should be done through the DHIS2 interface while giving instructions on how to use the reporting system and involving the right people.
For now I am trying to set up a test environment that will show if DHIS2 is supporting a set of requirements and try to document the steps needed for the system to meet those requirements.
Attached is a draft of the requirements and a simple stand-alone .jar file for testing purposes.
encode_password.jar
requirements.pdf (676 KB)
2014-03-20 11:57 GMT+01:00 Bob Jolliffe bobjolliffe@gmail.com:
OK you asked for it …
Ken the algorithm is contained in the attached Password.java file (its based on what I figured out from the spring source code). This little java program takes the username and password as parameters and outputs the username,password and hash as recognised by dhis2.
So if you have for example a csv file containing many, many users, then you can incorporate a script along the lines of the attached genpass.tcl to generate the hash codes in bulk. Or just expand the java program to read the csv file and possibly even write into postrgres table. (Personally I prefer to do do things a little bit at a time and script through psql). Anyway thats up to you … the algorithm is here.
There are some security considerations. The hash algorithm itself is not great, but you are stuck with emulating what happens inside dhis2 so no point tinkering with that (MD5 must seem like plaintext to the NSA nowadays). A more important consideration is how to generate the 45000 passwords. I have used the makepasswd program to generate fairly cryptic random passwords (also in a script) but users didn’t like them, naturally. Randy initially assigned them things like password1, password2, password3 etc which is also not ideal.
I wonder is the self registration feature an option for you? Not that users necessarily pick good passwords anyway
Regards
Bob
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On 20 March 2014 07:18, Jason Pickering jason.p.pickering@gmail.com wrote:
I think Bob is the best source for this. I have some R scripts but the generated password is not always correct due to peculiar methods which spring uses to encrypt the passwords which elude me.
–Sent from my mobile
On Mar 20, 2014 5:46 PM, “Knut Staring” knutst@gmail.com wrote:
Here are some documents that Randy Wilson shared on the list - though they state for “Hashpassword: we have not yet found a quicker way to do this than to send the excel file to Bob Jolliffe or Knut Staring (HISP). There is a special algorithm they use to create the MD5 hash password, combining the username and the assigned text password.” Unfortunately I don’t remember exactly how I used to do it…would be good if you share a how to when you figure it out…
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
Knut Staring
Dept. of Informatics, University of Oslo
+4791880522
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Kenneth
Have you read one of my mail in previous discussion. I used this approach to generate 2000 users automatically with passwords, roles, and assign them to appropriate orgunit where the users belong to
In case you need to expedite creation of thousands of users and passwords the following classes might help. In essence, all of user creation steps can be done by sql. However, password hash is a bit tricky in dhis2 when it depends on Spring Security.
https://dl.dropboxusercontent.com/u/63702128/dhis2%20user%20generator/GeneratePassword.java
https://dl.dropboxusercontent.com/u/63702128/dhis2%20user%20generator/RandomGenerator.java
After having a list of username and password pairs you can use sql to fill in users and userinfo tables, plus other germane tables for assigning orgunit and roles.
Cheers,
Thanh
Nguyễn Ngọc Thành
On Thu, Mar 20, 2014 at 7:35 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Thanks everybody
Not really fond of registrating users with queries.
I think it will effect the reporting rates in a bad way.
I think registrating users should be done through the DHIS2 interface while giving instructions on how to use the reporting system and involving the right people.
For now I am trying to set up a test environment that will show if DHIS2 is supporting a set of requirements and try to document the steps needed for the system to meet those requirements.
Attached is a draft of the requirements and a simple stand-alone .jar file for testing purposes.
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
2014-03-20 11:57 GMT+01:00 Bob Jolliffe bobjolliffe@gmail.com:
OK you asked for it …
Ken the algorithm is contained in the attached Password.java file (its based on what I figured out from the spring source code). This little java program takes the username and password as parameters and outputs the username,password and hash as recognised by dhis2.
So if you have for example a csv file containing many, many users, then you can incorporate a script along the lines of the attached genpass.tcl to generate the hash codes in bulk. Or just expand the java program to read the csv file and possibly even write into postrgres table. (Personally I prefer to do do things a little bit at a time and script through psql). Anyway thats up to you … the algorithm is here.
There are some security considerations. The hash algorithm itself is not great, but you are stuck with emulating what happens inside dhis2 so no point tinkering with that (MD5 must seem like plaintext to the NSA nowadays). A more important consideration is how to generate the 45000 passwords. I have used the makepasswd program to generate fairly cryptic random passwords (also in a script) but users didn’t like them, naturally. Randy initially assigned them things like password1, password2, password3 etc which is also not ideal.
I wonder is the self registration feature an option for you? Not that users necessarily pick good passwords anyway
Regards
Bob
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On 20 March 2014 07:18, Jason Pickering jason.p.pickering@gmail.com wrote:
I think Bob is the best source for this. I have some R scripts but the generated password is not always correct due to peculiar methods which spring uses to encrypt the passwords which elude me.
–Sent from my mobile
On Mar 20, 2014 5:46 PM, “Knut Staring” knutst@gmail.com wrote:
Here are some documents that Randy Wilson shared on the list - though they state for “Hashpassword: we have not yet found a quicker way to do this than to send the excel file to Bob Jolliffe or Knut Staring (HISP). There is a special algorithm they use to create the MD5 hash password, combining the username and the assigned text password.” Unfortunately I don’t remember exactly how I used to do it…would be good if you share a how to when you figure it out…
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On Thu, Mar 20, 2014 at 7:42 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Hi Kenneth,
You must look at the source code of DHIS2 and Spring in order to understand it. It is not a simple hash, but a salted hash depending on the username and password together. This has been previously discussed on this list, but it is most clear by analyzing the source code.
Best regards,
Jason
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
–
Knut Staring
Dept. of Informatics, University of Oslo
+4791880522
On Thu, Mar 20, 2014 at 5:39 PM, Kenneth Børtveit kenneth.bortveit@gmail.com wrote:
Hi.
I am trying to generate passwords to almost 45,000 users in Rwanda.
There is no problem in generating a random sequence of characters, the problem is storing it in a database.
The password is stored as a hash, but I don’t know which hash function to use.
Could anybody assist?
-Kenneth
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp