Re: [wss-comment] Password Digest

[Pete Wenzel <pete@seebeyond.com>]

Thus spoke eclogue chang (e1bridge@yahoo.com) on Mon, Oct 06, 2003 at 06:29:08PM -0700:
> Pete, 
> 
> Thanks for your clarification. However, I still have a
> question on this password digest issue. This is not
> thing to do with trust of the Provider or not, but
> just an implementation issue. For example, an
> enterprise that has the policy for no cleartext
> password can be stored in the database, and already
> stored all passwords in hashed format. Now, with this
> new WSS standard, what should it do?  
> 
> Using case #1 of Password_Digest = Base64(SHA-1(nonce
> + created + password)), I have to store the cleartext
> password on the Provider side. This will not only
> violate my company?s policy, but also impossible to
> implement to the existing applications. 

I understand.... you have this policy that exists, even though we can
demonstrate that it offers no additional security (except perhaps that
hashes are harder to remember from a casual glance than plaintext
passwords... thus are more obscure).  This is, indeed, an
incompatibility between the existing spec and the policy.  Thank you
for explaining the issue thoroughly and persistently.

> Can you tell me how can I convert thousands user?s
> stored password from SHA-1 hashed value back to
> cleartext?  

Obviously, it cannot be done, even for a single hash, which by design
is irreversible.

--Pete
Pete Wenzel <pete@seebeyond.com>
Senior Architect, SeeBeyond
Standards & Product Strategy
+1-626-471-6311 (US-Pacific)