Password Storage

[ghost]

HAP requires a valid username and password combination to connect to Active Directory so it can validate user logins and retrieve their files. Once the Administrator enters the password it is encrypted and salted using AES encryption, this is not safe for multiple reasons, most notably the fact that the key and salt are publicly exposed in the Git repository. Anyone who has access to the passwords essentially has them in plain text. You can easily just reverse engineer encryption. example

using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;

public class Program {
    static private string _password = "";

    static private string _key = "";
    static private byte[] _salt = Encoding.ASCII.GetBytes("");

    public static void Main()
    {
      string plaintext = null;
      Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(Program._key, Program._salt);

      var aesAlg = new RijndaelManaged();
      aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);
      aesAlg.IV = key.GetBytes(aesAlg.BlockSize / 8);
      ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
      byte[] bytes = Convert.FromBase64String(Program._password);
      using (MemoryStream msDecrypt = new MemoryStream(bytes)) {
        using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) {
          using (StreamReader srDecrypt = new StreamReader(csDecrypt)) plaintext = srDecrypt.ReadToEnd();
        }
      }

      Console.WriteLine(plaintext);
    }
}

[techienickb]

Which is why it is recommended to run HAP+ under an AAD App Proxy using Kerberos constrained delegation. HAP+ then maintains no username's or passwords. This project is also no longer in development.

If you wish to fix it please do a PR and fix.