Encryption of username and password combinations when connecting to Data Sources.
When setting up a User Directory Connector (UDC) or Data Connection (DC), there is an option to store a username and password combination which can be used for that connection:
Qlik Sense used AES256 encryption to encrypt the password field to ensure that this information cannot be recovered by a malicious entity.
Is a reversible encryption used (e.g. DES, 3DES, AES, etc.)?
Yes – AES-256.
Using secure cryptographic one-way hash function (such as SHA-256) of the password, without use of the salt?
Using secure cryptographic one-way hash function (such as SHA-256) of the salted password (common salt)?
Using secure cryptographic one-way hash function (such as SHA-256) of the salted password (individual salt)?
Is the salt at least 32 chars long?
The salt length is 16 bytes
Using a dedicated password-based key derivation function, such as bcrypt, PBKDF2 or scrypt?
No key derivation function. Only the key provided with the cert is used.
Are the salts stored in the same database/table where the credentials are stored?
Salts are stored in the same database/table as the encrypted credentials