Interested if anyone has come up with a solution to the CMMC 2.0 / NIST SP 800-171 requirement “Prohibit password reuse for a specified number of generations”. We have looked at Epicor IdP and decided against and we do not have Azure AD.
1 Like
Not sure if it’ll meet the spec, but technically the password (in its encrypted form) is in a field in the Ice.SysUserFile table. Perhaps you could write something that would store previous passwords and check them when the ‘change password’ event is triggered. You wouldn’t have to know what the password was, just that the encrypted string was already used before… Not sure how to exactly, but since you’re in the cloud, and don’t have the two simple options, there isn’t much left.
Is it the same every time for the same string, or is there a random salt?
Well, I can say that’s it’s consistent across instances and appservers, but not a salt or encryption formula I know. It’s probably simple, but Epicor specific. I’ve not tried to break it either.
I use this little tidbit to my advantage when I copy my DB’s around to my Test/Dev systems and reset a couple of users to passwords keep me from doing things in the wrong place. I just copied the known PWD strings into a SQL script and apply it to the copied database. It would also work to recover the password if you change it and forget it 
4 Likes
There’s a random 8-byte salt. The salt itself is appended to the end of the salted hash before the whole thing is converted to the base64 string which is stored in the database.
(Epicor.Security.Cryptography.SHA.Hasher.ComputeHash defined in the server’s Epicor.ServiceModel.dll.)
5 Likes
CMMC is always behind the eightball. You could use a BPM on Change password to copy the hash into a different table and then use Epicor Hasher.VerifyHash to ensure that it isn’t re-used
using Epicor.Security.Cryptography.SHA;
if(Hasher.VerifyHash("newPassword", <OLDPASSWORDHASHHERE>, "SHA256"))
{
//Valid
}
else
{
//Invalid
}
4 Likes