It all started when Christopher Kois published an article explaining that he had worked out how the System Password was encrypted. While he was correct that this password is not strongly encrypted, he overstated the risks that the weak encryption could cause. At this point I should mention that the System Password is an optional password which can be used as an additional method to restrict access to certain "system" windows in the application. Many customer sites do not even set it and so don't use it. It does not replace the application level security system which can prevent access to the windows entirely AND is not related in any way to the SQL Logins and the user's passwords. The encryption used for this password is Dexterity's built in encryption property on table fields, which just makes it hard to read and uses an XOR algorithm. Read the article here: Breaking the “encryption algorithm” for Microsoft Dynamics GP – Dexterity Encryption.
This original post was then picked up by ComputerWorld (Oops! Microsoft Dynamics GP's huge security hole (update: NOT)) and SlashDot (IT: Microsoft Dynamics GP "Encrypted" Using Caesar Cipher). Between the original article and these two follow on articles, the rumour that Dynamics GP had a security flaw was spread.
Starting with Mark Polino, our ever watchful MVPs and bloggers in the Microsoft Dynamics GP Community saw these post and responded with comments on the posts, their own blog articles and emails to various people in Microsoft. I had an email from Steve Endow alerting me to the unfolding saga.
See the blog posts below:
- Mark Polino - Slashdot Gets it Wrong – No Security Hole
- Mariano Gomez - Urban Legends - "I cracked Dynamics GP encryption algorithm!"
Then Microsoft published its official response:
- Inside Dynamics GP - The Scoop On Dynamics GP’s Application Password System
- PartnerSource - Microsoft Dynamics GP Application Password System
- CustomerSource - Microsoft Dynamics GP Application Password System
The original posts have since been updated to reflect the correct information highlighted by the community and by Microsoft.
For some related reading on passwords and authentication, have a read of the following posts from this blog:
- Why does Microsoft Dynamics GP encrypt passwords?
- Do we really want Windows Authentication for Microsoft Dynamics GP?
This whole episode shows how quickly mis-information can be spread with the aid of the Internet, even if it is unintentional. Don't believe everything you read on the internet without validating it or knowing the source to be reliable.