Improvements to the security of stored passwords

In all of the new and updated NiagaraAX releases in 2013, significant changes were made to the encoding and storage of station passwords, to stay up to date with security best practices. New and updated releases now use three different formats to store passwords in a station’s database (config.bog file):

Hashed

The safest way to deal with passwords is to not store them at all, but instead store a hash of the passwords created with a cryptographically-strong, one-way, algorithm (PBKDF2-HMAC-SHA256). Therefore, passwords that do not need to be transmitted to other systems, like all those for Users in the UserService, are stored as hashes.
Encrypted (AES-256)

Some station services need to store passwords in order to communicate as clients to other hosts, such as email servers, LDAP servers, and other NiagaraAX stations (FoxService). For these passwords, a strong, two-way encryption algorithm like AES-256 is used, where the encryption key used is stored separately from the station database file (config.bog). This way, an attacker with access to the station file cannot learn the passwords it contains.
Legacy

In select cases, station passwords are stored as in the old (pre-update release) legacy format.
- First, any station database saved by an older NiagaraAX version has all passwords stored in this legacy format. However, if a host with updated NiagaraAX starts a station from that file, it immediately converts the passwords to the two new formats above, and then re-saves that file.
- Second, when editing station database files offline in Workbench, any password changes made (new or updated) are stored in this legacy format. However, note that in this case too, after starting the station, it converts these passwords to the new, stronger formats.
- Third (and in AX-3.8 only), when using the platform Station Copier to save (copy) a station, all client (encrypted) passwords are automatically decrypted and stored in portable format in the config.bog file. This provides better “portability” of the station database. Again, after starting the station, these passwords are automatically converted to the new AES-256 encryption.

Once a station converts passwords to the new, stronger, hashed or encrypted storage formats, if you save that station database and attempt to run in it an earlier NiagaraAX (pre-update) release, it will fail at startup. This happens because the older software does not understand the new password storage. If for some reason you do need to downgrade a station for such usage, you must edit that config.bog file offline in Workbench, re-entering all password values, and then resave it.

When upgrading systems there are related considerations you should know about (and prepare for). Also, after upgrading and when archiving stations for making modifications and copying back to the original host, keep in mind the following things about the passwords stored in saved files.