I understand that Spark encryted passwords into its %USERPROFILE%\Spark\Spark.Properties file, for example in the Spark.Properties file we have
password=OychgUTkZSUrlreQYzRBobt==
What algorithm does it use to generate these passwords?
Spark use for the password encryption Triple DES
While 3DES (DESede) is used, its important to know that the key used to encrypt is the same key used by all Spark installs, and is widely available in the source. Do not rely on the encryption for security, it really only prevents a casual browser from reading the password.
Thanks for your reply,
Does anyone know of a script or method to decrypt the password in the spart.properties file?
I suggest you look at the source for Spark to see how it does it, then you can write your own Java program to suit your needs.
Seems like this would be a pretty significant security issue. Was it not possible to use a hash?
No, and for the simple reason that the actual password is needed to log into a server. In general, any application that saves your password will do so in an insecure way, because it must be retrieved somehow. If you are worried about the security, dont save your passwords.
Oh, duh. I need to hit the docs to see how, or if, it’s possible to force a user to do SSO or at least keep them from saving their password after the initial install.
There would be no way to force it at this point, short of not allowing passwords on the server (via restricting the SASL mechanisms to GSSAPI) If you want Spark to not allow saving passwords, but allow it to use passwords, some customization to Spark will be needed.
I use a custom adm file in conjunction with a windows service that on a set interval updates the spark.properties file using for /f loops on registry key pushed out through group policy
Thank you!