Question

How to make a custom password check

0

Is it possible to compare the password of a User to an input string? I know you can't compare a string to a hashedstring in a microflow, but is this possible using a java action or something like that?

asked 2015-06-19

Jan Goessens

4 answers

Roeland Salij · Answer 1 · 2015-06-19

Yes, you can do this using Java.

MendixHashString password = (MendixHashString ) __account.getMember(this.getContext(), "Password");
return password.verifyValue(this.getContext(), this.unhashedPassword);

this.unhashedPassword could be a parameter of a custom java action and take the value of an input box.

from https://community.mendix.com/questions/3720/HashString-comparison-with-SSHA256-hash-algorithm

Sebastiaan van den Broek · Answer 2 · 2015-06-19

I'm not sure what exactly you want to check for in the passwords, just always a fixed string? Coming from where? If you don't need to compare against a password history then you can relatively safely write your own password setting microflow that just puts the initial password into a non-hashed string, run some checks and then puts it in the hashed string and empties the old contents. This is also what Herbert suggests in the answer that Roeland linked (though not in so many words)

A feature could be that Mendix allows you to register a microflow as a pre-hashing hook so it's a little more automated, but right now that's not a feature that exists.

If you do want to compare password history then you'll have to store copies of the password in a special history table when the user changes a password. Then you can verify against those with the code that is in that answer.

Gowtham R · Answer 3 · 2026-03-23

Hi,

Short answer: you should not (and cannot reliably) compare a Mendix user password yourself, even via Java, by reading the stored value. Mendix stores passwords as salted hashes, and the platform does not expose a way to reverse or directly compare them.

However, there is a correct and supported way to validate a password.

Supported by Mendix

Use the built-in authentication mechanism instead of manual comparison.

Option 1 — Use `SignIn`

Call the standard action:

Sign in

Provide:

Username
Password (input string)

Result:

If credentials are correct → login succeeds
If not → it fails

You can use this purely for validation logic (you don’t have to keep the user logged in if not needed).

If you only want to validate password (without login session)

Use this pattern:

Call SignIn
If success → password is correct
Immediately log out (if needed)

Why you should NOT do manual comparison

Password is stored as:

Hashed + Salted

You cannot do:

InputPassword == StoredPassword

Even in Java:
- You cannot access the raw password
- You should not replicate hashing logic (security risk)

Always use Mendix authentication APIs
Never handle password comparison manually
Never expose or manipulate password hashes

Direct comparison → Not possible
Java custom comparison → Not recommended
Correct way → Use SignIn action to validate credentials

Ronald Catersels · Answer 4 · 2015-06-19

Take a look at this app https://appstore.home.mendix.com/link/app/1011/Mendix/Encryption With this module you can encrypt or decrypt the password and then to the compare.

Regards,

Ronald