Generating Passwords


Searching for an OOB* feature to generate User passwords, I have found the example below.

var username = 'itil';

var password = SNC.PasswordPolicyEvaluator.generateUserPassword(username);
gs.info(password); // to view the password

If we try to access the SNC API in a Scoped Application it will not work because it is designed for System Administrators. They can run scripts within the Global scope. 

Last month while participating as a Hacktoberfest maintainer I had the chance to evaluate a contribution regarding password generation:


var PasswordGenerator = Class.create();
PasswordGenerator.prototype = {
    initialize: function() {},

    //
    // Input: Minimum password length that is required
    // Returns a random password for the min length specified
    //
    generate: function(givenPasswordLength) {
        var specials = '!@#$%&*()_+<>[].~';
        var lowercase = 'abcdefghijklmnopqrstuvwxyz';
        var uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
        var numbers = '0123456789';
        var all = specials + lowercase + uppercase + numbers;

        String.prototype.pick = function(min, max) {
            var n, chars = '';
            if (typeof max === 'undefined') {
                n = min;
            } else {
                n = min + Math.floor(Math.random() * (max - min));
            }
            for (var i = 0; i < n; i++) {
                chars += this.charAt(Math.floor(Math.random() * this.length));
            }
            return chars;
        };


        String.prototype.shuffle = function() {
            var array = this.split('');
            var tmp, current, top = array.length;

            if (top)
                while (--top) {
                    current = Math.floor(Math.random() * (top + 1));
                    tmp = array[current];
                    array[current] = array[top];
                    array[top] = tmp;
                }
            return array.join('');
        };

        //adjust the pick numbers here to increase or decrease password strength
        var ent = givenPasswordLength - 4;
        if (ent < 0) {
            ent = 0;
        }

        var password = (specials.pick(1) + lowercase.pick(1) + uppercase.pick(1) +
                        numbers.pick(1) + all.pick(ent)).shuffle();
        return (password + '');
    },


    type: 'PasswordGenerator'
};

You can create the Script Include above in a Scoped Application. 

Let's test it from the Scripts - Background in our PDI**:

var helper = new PasswordGenerator(); 
var result = helper.generate(20); // password length
gs.info("Password: " + result);

I approved the contribution because despite the fact there is an OOB feature to generate User passwords, this one is specially useful because: 

1) We can specify the password length to be generated;
2) It runs on Scoped Applications;
3) We have many websites on the Internet capable of generating passwords but it is not a good idea to rely on unknown websites to generate your password, right?
4) GlideEncrypter API is deprecated and should not be used


Thank you.


____
*OOB means already developed functionality by ServiceNow developers
**PDI stands for Personal Developer Instance
Hacktoberfest contribution Generates a random password with a specified length
There is a plugin called ServiceNow Vault which is not in this article scope

Comments

Post a Comment

Popular posts from this blog

Hacktoberfest

Image
I just completed the #ServiceNowHacktoberfest by having 4 contributions accepted! - Service Portal is a single place for everyone to access information, services and different applications. For my first contribution   (1068)  I shared a use case to get a parameter from the URL and use it into an Ajax call, recovering information from the database to show within the User Interface. - For my second pull request   (1069) I talked about best practices, explaining how to safely update a record. If we're not cautious with this kind of programming we can accidentally insert records instead of updating them. - For my third contribution   (1085)  I explained how to validate a field provided within a Catalog Item/Record Producer so that the date can't be in the past.  - The last one   (1093) was about fixing a direct reference to the Choice table. This is an internal table and it is not best practice to reference that table directly when you are creating your choice field. Besides the
Read more

VIDEO How to fix a reference to the Choice [sys_choice] table

Image
        The Choice table is used internally by the platform and depending on the payload of an operation, for performance reasons the platform can decide that it is better to drop the table and insert all the values instead of perform updates on specific records.       When we insert a new record in a table, a new sys_id is generated. If we have the Choice table as a reference to provide choices for a particular field in our table, these choices will be lost every time the platform decides to recreate the Choice table.       A simple way to avoid this problem is to create a field of  type Choice  which indirectly uses the Choice table but it is the right way, or we can create our own table to maintain the Application choices.       Recently I received the mission to do exactly this: create a private choice table for an Application.     The problem       A long time ago, the platform allowed a developer to choose the Choice table as a reference.       As a consequence, old custom applic
Read more

How to hide a Related List

Do you know about the Related List that displays people who can approve or reject a document? Recently a scenario came up where the developer needed to prevent the employee who created a record from approving that document. It wasn't common because usually the operational level creates the document while a manager approves it. Leaving this question of personas aside and focusing on the problem, what would be a possible solution? The first workaround that came to my mind was to hide the Approval list if the user who registered was viewing his own record. A workaround is not the ultimate solution. Just a palliative fix while we find time to think about the ideal one. The action plan 1) Every record has a field called sys_created_by; 2) On the front-end (client side) we have access to an API called Glide User that has some information about the logged in user. Among them is the name in the userName property. What if we create a
Read more