Hi. I have created a custom password field on empl...
# suitescriptn
NickSuite
07/06/2020, 11:44 AMHi. I have created a custom password field on employee record. I have entered a password in it, saved the record. Using the search, I am able to get the encrypted value of this password. I have created a suitelet with username and password field. I am entering the same value of the password in this field, getting it in the POST request and encrypting it using:
Copy code
var hash = nsCrypto.createHash({
algorithm: nsCrypto.HashAlg.SHA1
});
hash.update({ input: password, });
var hashedVal = hash.digest({ outputEncoding: nsEncode.Encoding.UTF_8});NickSuite
07/06/2020, 12:06 PM@battk any help?
b
battk
07/06/2020, 12:18 PMthat doesnt sound like the correct way to use a password field, nor is it considered a modern way to store a password in general
n
NickSuite
07/06/2020, 12:19 PMWhy? Password field is available by NetSuite.
b
battk
07/06/2020, 12:19 PMtake a look at the Table of Custom Field Type Descriptions for how to use a password field
n
NickSuite
07/06/2020, 12:20 PMBut I am doing almost the same
NickSuite
07/06/2020, 12:21 PMI get the value by searching the employee record. It already gives me encrypted password value.
b
battk
07/06/2020, 12:21 PMthats not what the help guide will tell you to do
battk
07/06/2020, 12:22 PMit tells you to use the password field for display purposes only
battk
07/06/2020, 12:22 PMand to encrypt it yourself
n
NickSuite
07/06/2020, 12:22 PMThe password field gives the encrypted value when we load/search the record, right?
b
battk
07/06/2020, 12:23 PMit might be, but netsuite doesnt share how its encrypted
battk
07/06/2020, 12:23 PMyou should encrypt it yourself
n
NickSuite
07/06/2020, 12:23 PMOh... so what do you suggest?
b
battk
07/06/2020, 12:23 PMand you should not use sha1
battk
07/06/2020, 12:23 PMits not considered secure
battk
07/06/2020, 12:24 PMmore modern would be to use bcrypt, which is actually pretty slow in netsuite.
n
NickSuite
07/06/2020, 12:25 PMSee the help page says the same: "When validating, you pull the encrypted password value into a hidden field and use custom code to encrypt the value the user typed and compare it with the actual encrypted value."
I am pulling the encrypted password value (using search).
and I am using custom code to encrypt the value the user typed in the Suitelet.
b
battk
07/06/2020, 12:25 PMhow do you
pull the encrypted password value into a hidden fieldn
NickSuite
07/06/2020, 12:26 PMInstead of pulling it in hidden field, I am pulling in Suitelet using search.
b
battk
07/06/2020, 12:27 PMthats literally what i am telling you not to do
battk
07/06/2020, 12:27 PMand literally do what the help guide tells you to
n
NickSuite
07/06/2020, 12:28 PMOkay, so I will add the password into the hidden field on the Suitelet, right?
NickSuite
07/06/2020, 12:29 PMThat's what you are saying, right?
b
battk
07/06/2020, 12:30 PMcustom field on the employee record
n
NickSuite
07/06/2020, 12:34 PMcustom text field on employee record and not custom password field?
b
battk
07/06/2020, 12:35 PMcorrect
n
NickSuite
07/06/2020, 12:41 PMOkay, i got your point. Take the plain text password and store it in another field after manually encrypting it. Then use the same encryption method on the value I am getting from Suitelet.
NickSuite
07/06/2020, 12:42 PMWhat if I need to use the custom password type field?
b
battk
07/06/2020, 12:53 PMgrab your third opinion then
battk
07/06/2020, 12:53 PMi believe the password field is generally for display purposes only
n
NickSuite
07/06/2020, 1:03 PMPassword field does not display any value.
b
battk
07/06/2020, 1:10 PMas in you only use it because it obscures the input
n
NickSuite
07/06/2020, 1:12 PMpassword is encrypted and then saved in that field.
b
battk
07/06/2020, 1:26 PMits encrypted in an unknown way, so its lost to you
n
NickSuite
07/06/2020, 1:41 PMgot it. Thanks.
6 Views