Yes, EasyIdentity allows you to query user passwords using the REST APIs, but for security reasons, only hashed passwords are returned. The API also provides information about the hashing algorithm used, ensuring that sensitive data remains protected.
How It Works #
-
When you query the REST API for a user’s password, the system never returns the plain-text password.
-
The API response includes:
-
The hashed password
-
The hashing algorithm used to encrypt the password (e.g., SHA-256, bcrypt)
-
This approach ensures that administrators and developers can verify password configurations or perform security audits without compromising user security.
Best Practices #
-
Always handle API responses containing hashed passwords with care.
-
Do not attempt to reverse or decrypt hashed passwords, as this can violate security best practices.
-
Use the hashing algorithm information to ensure your organization’s password policies and security measures are up to date.
