locked
Storing Passwords in MS CRM? RRS feed

  • Question

  • Hi,

    I would like to store my crm contact's (encrypted/hashed) passwords for an external system in a custom password field in the Crm Contacts Entity.

    Would the scenario described below be good solution for this? (in terms of security?)

    http://www.furnemont.eu/2010/10/crm-2011-first-look-at-the-field-security/

    Or does Ms Crm support this feature in another recommended way?

    Thanks!



    • Edited by Rudgr Monday, April 15, 2013 1:32 PM
    Monday, April 15, 2013 1:29 PM

Answers

  • Hi,

    It really depends on if you want to store the password hashed or not - field level security will prevent users who are unauthorised to see the password, but the password will be stored in plain text in the database.

    If you wanted to encrypt/hash the password, you'd need to write a plugin to intercept the create/update message.

    hth


    Scott Durow
    Read my blog: www.develop1.net/public     Follow Me on Twitter
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Monday, April 15, 2013 1:35 PM
    Answerer
  • Nothing directly OOB as far as encrypting data. If you are running the on premise version - here is a good article on Transparent Data Encryption

    Field security does provide a mechanism to restrict access to certain fields but it does not encrypt the field value in the database. 


    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn

    Monday, April 15, 2013 1:39 PM
    Moderator

All replies

  • Hi,

    It really depends on if you want to store the password hashed or not - field level security will prevent users who are unauthorised to see the password, but the password will be stored in plain text in the database.

    If you wanted to encrypt/hash the password, you'd need to write a plugin to intercept the create/update message.

    hth


    Scott Durow
    Read my blog: www.develop1.net/public     Follow Me on Twitter
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Monday, April 15, 2013 1:35 PM
    Answerer
  • Nothing directly OOB as far as encrypting data. If you are running the on premise version - here is a good article on Transparent Data Encryption

    Field security does provide a mechanism to restrict access to certain fields but it does not encrypt the field value in the database. 


    Jason Lattimer
    My Blog -  Follow me on Twitter -  LinkedIn

    Monday, April 15, 2013 1:39 PM
    Moderator
  • thanks scott

    yes, I would write the encryption/decryption/hashing of passwords myself and would never store a clear text password in the crm database directly.

    I was just wondering if storing the (encrypted/hashed) passwords of Contacts in the Ms Crm database would be an acceptable solution from a security point of view?

    I"m just looking for some reassurement (or someone telling me that I'm an idiot because I should never save sensitive data like this in CRM? ;-)

    Monday, April 15, 2013 1:41 PM
  • I'd say that as long as you are hasing/encrypting the passwords, there is no reason at all not to store them in Dynamics CRM.


    Scott Durow
    Read my blog: www.develop1.net/public     Follow Me on Twitter
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Monday, April 15, 2013 1:43 PM
    Answerer
  • thanks again for the quick feedback scott and jlattimer!
    Monday, April 15, 2013 1:49 PM