0 votes

Hi I would like to set an Acc_account password from SQL or from a Serverscript.

is that even possible?

asked in WorkFlow / Serverscript by (989 points)

3 Answers

+1 vote
Best answer

There is no API method available AFAIK, but you can achieve results using SQL.

Efficy uses a SHA1 hash for the ACC_ACCOUNTS.passwrd field. A fall back for old password allows you to provide a password, without including the salt (hence the name of the field NACL). The salt was added to prevent rainbow table attacks.

So you just have to SHA1 [edit] and upper case your password into this PASSWRD field and leave NACL empty. The first time the user logs on, the password is salted and you will see that the hash is updated.

You can test SHA1 online here.

I have not yet figured out how the NACL is generated, but if you do, you can make it secure from the start.

answered by (7.4k points)
edited by
It s working fine thank you but :
WARNING : you have to upper your sha1 password string before inserting it in the database.

Thank you. I can't figure how the NACL is generated but I don't really need it in this case.
Thanks, I adapted the original answer
this is how you can do it from SQL server :

password = upper(sys.fn_varbintohexsubstring(0, HashBytes('SHA1', 'yourpassword'), 1, 0))
Wow nice, SQL Server has even native support for it!
something changed for efficy 10! if there is a value for NACL the SQL Server function is not working anymore. I tried different version to add the salt to the pwd with out success. Any idea?
Hi Tim, what version of Efficy 10 are you talking about? I ve use it in SP1 and it is working. Can't you just set the NACL to null before?
Hi ho Louis,

We are running 10 no SP at all -> Efficy (Build 10.0.7987.0 2016-05-04 00:00)  - and deleting t NACL wouldn't help. I just need to check on a valid useraccount from another application. and this is not working anymore ... the question remains: who can I test via SQL the PWD if NACL is already set? Thank you for your support!
Hmmm If it worked before I can only assume that the crypting method has changed. I can't help you to check a password directly in SQL but why don't you try to use the native Logon method from the Soap API or from a serverscript instead of a direct SQL method?
well, unfortunately in this case it is not working for us. I even have to test on deactivated accounts :-/

The NACL (salt) is added to the password before it is hashed. I don't have the exact specifications on how they are concatenated. This was a security improvement to avoid rainbow table attacks.
0 votes

Hello Tim,

here is some information from R&D :

Efficy itself should be used to authenticate users, it's the most secure way and ensures the same algorithm and security standard is respected throughout all integrations.

The algorithm has been updated since Efficy 2012 Summer and now uses salted passwords.

You can easily check/authenticate a user by calling the /login endpoint with a POST request containing all the same fields than the logon page. Just inspect the AJAX request the logon page is sending, and use the same. if the user data is correct, Efficy will reply with an #OK# token that can also be customized in the macros.

answered by (1.9k points)
edited by
0 votes

Hello Tim,

So normally it should have worked, but here is another solution from R&D (since you are using PHP you may use CURL to do the call) :

1- you do /login like the page is doing and add the info in the POST and redirect to the MacroSuccess ... the macro that return #OK#, like it is done in the interface

so the url is something like this


And pass the parameters in POST mode:


2- you can then check by the return of the call that you are getting the response #OK# ... if not then the user has not a correct login

3- if there is a success then do the Logoff



Best Regards,

answered by (1.9k points)
1,249 questions
1,521 answers
328 users