Thursday, September 16, 2010

Is the new "Remember User and Password" feature in Microsoft Dynamics GP 2010 safe?

Increasingly, a number of you have been asking about the security of the new "Remember User and Password" login feature in Microsoft Dynamics GP 2010. I will start with the short answer to this question...Yes! Very safe indeed.

Back in January, I posted an article about the new feature - see Microsoft Dynamics GP 2010 - Security Enhancements. In this article, I described the new automatic login capabilities in Microsft Dynamics GP 2010. As you may know by now, these settings are stored in the Windows Registry under the HKEY_CURRENT_USER registry hive as shown below:


HKEY_CURRENT_USER/Software/Microsoft/Dynamics GP


The ProtectedValueA and ProtectedValueB keys correspond to the user Id and password values respectively and are stored as REG_BINARY values. You may be thinking, it would be simple enough to get a cracker from any website that decodes the value into a readable string. Even if you did, the development team has taken extra precautions to introduce an entropic encryption key to prevent user Ids and passwords from being decoded with external applications.

The entropic encryption key is passed to Dexterity's new Registry_SetProtectedKeyString() function to ensure maximum encryption and no, you cannot see it with Script Profiler. Now, don't ask me about the algorithm used by the Dexterity function or the entropic encryption key, because I simply don't know the former or don't have the latter, just know your user Id and passwords are completely safe!

Related Articles

Why does Microsoft Dynamics GP encrypt passwords @ Developing for Dynamics GP
Microsoft Dynamics GP Application Password System @ Developing for Dynamics GP
The Scoop On Dynamics GP’s Application Password System @ Inside Microsoft Dynamics GP

Until next post!

MG.-
Mariano Gomez, MVP
Maximum Global Business, LLC
http://www.maximumglobalbusiness.com/

No comments: