Hi is there a way to recover the password for a PI user. I do not want to change it as I don't want to break anything in production.
If applications are connecting to a PI Server via trust or mapping which is using PI User as identity, it will not break anything if you change the password for this PI user.
To reset PI User password follow the KB article https://techsupport.osisoft.com/Troubleshooting/KB/1333OSI8
On top of what Anna has written, if you are connecting using explicit login (using the password), you should change it to Windows Integrated Security in order to improve the security of your system. If you cannot do that, PI Trust is still a more secure option than explicit login. As Anna has already pointed out, using those options your applications will continue to work even if you change the password of the PI User. Remember that you can create mapping to PI Identities which does not require a password.
Hope it helps!
Thank you for your input. I would still want to know if it can be recovered rather than reset. Hardcoded passwords is one avenue I do not want to mess with. I totally agree with you though on
Users are sometimes lazy and use the same password for different purposes. Supporting password recovery means supporting to spy someone's password. For this reason we do not support password recovery but the ability to reset a PI Users password if necessary.
Thanks Gregor, that was my assumption as well.
Passwords for PI Users are completely and utterly insecure and remain so to this day. OSIsoft publicly disclosed this fact almost 5 years ago: techsupport.osisoft.com/.../224a5434-ba62-41d1-83eb-244ba60da193.htm. This is why PI Data Archive 3.4.380.36 and later disable this authentication method by default for all installations and upgrades.
OSIsoft does not provide support to do so, but it is indeed technically possible. This is effectively what the security researcher proved (credited in the above disclosure) and why OSIsoft responded the way we did.
Your intent to recover the password may be good, but unfortunately, everyone else's intent cannot guaranteed to be good. Thus, for obvious reasons, we're not going to provide a tool to make it trivial to accomplish. But make no mistake: it is possible with modest effort.
If you have a PI AF SDK-based or PI SDK-based program, you should move exclusively to Windows authentication.
Where feasible, PI API-based programs should be replaced by PI SDK- or PI AF SDK-based programs (and use Windows authentication). Where that is not feasible, PI Trust authentication should be used exclusively, but please note that PI Trust authentication pales in comparison to Windows authentication.
No type of program should authenticate as piadmin, especially with PI User or PI Trust authentication.
For a small list of things that you can do to improve the security of the PI Data Archive, see this KB article from last summer:
Retrieving data ...