From a high-level Epicor has a little helper class to hash the password via 2 helper methods ComputeHash, VerifyHash it does support different algorithm’s such as SHA1, SHA256, SHA384, SHA512, MD5 but by default Epicor uses SHA256.
That helper lies in Epicor.System.dll usually stored in the bin folder on the IIS App Server.
High Level ComputeHash:
- Using RNGCryptoServiceProvider creates a random number salt as bytes
- Converts your plain-text password string into bytes
- Creates a buffer with the size of passwordBytes.Length + saltBytes.Length
- Combines the passwordBytes and saltBytes into a single buffer array
- Hash the buffer using SHA256 Managed
- Do some magic via a for loop
- Encode Base64
What you need to know is that the Random Salt is embedded in the end-result Hash and is used by the VerifyHash method.
If you were to call ComputeHash a thousand times with the same password string you would get a different Hash always.
|Password||Computed Epicor Hash w/ RNG Salt|
// Returns: 46uIY6/nQjHL5mX1KeE/7NtEXD3MIOblGxpVRH5ZWXNORGsNwT3WHg== for example. Epicor.Security.Cryptography.SHA.Hasher.ComputeHash("manager");
High Level VerifyHash (returns boolean if hash matched):
- Decode Base64
- Extract salt bytes from Hash
- Using the same salt bytes and user provided plain-text password we re-create the Hash, only this time because we pass in a salt array ComputerHash won’t create a RNG Salt it will use the one passed.
- Compares the newly created Hash (base64) to Hash in Database (previously generated). They should Match
You can write alot more details on this process. But things to know that a Hash Computed on My PC would work just as fine on your machine, it does not make use of the DPAPI, hence when you copy your Database to another server, it all works just fine.
For those curious what how the Salt is created, since it’s not a hard-coded “MfgSys” salt in E10.1+
// Fills an array of bytes with a cryptographically strong sequence of random nonzero values byte saltBytes = new byte; new RNGCryptoServiceProvider().GetNonZeroBytes(saltBytes)
You can with some effort, look up the Hashing Algorithm and re-create it easily in Visual Studio for your custom needs.