[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss-comment] Password Digest
Thus spoke eclogue chang (e1bridge@yahoo.com) on Mon, Oct 06, 2003 at 06:29:08PM -0700: > Pete, > > Thanks for your clarification. However, I still have a > question on this password digest issue. This is not > thing to do with trust of the Provider or not, but > just an implementation issue. For example, an > enterprise that has the policy for no cleartext > password can be stored in the database, and already > stored all passwords in hashed format. Now, with this > new WSS standard, what should it do? > > Using case #1 of Password_Digest = Base64(SHA-1(nonce > + created + password)), I have to store the cleartext > password on the Provider side. This will not only > violate my company?s policy, but also impossible to > implement to the existing applications. I understand.... you have this policy that exists, even though we can demonstrate that it offers no additional security (except perhaps that hashes are harder to remember from a casual glance than plaintext passwords... thus are more obscure). This is, indeed, an incompatibility between the existing spec and the policy. Thank you for explaining the issue thoroughly and persistently. > Can you tell me how can I convert thousands user?s > stored password from SHA-1 hashed value back to > cleartext? Obviously, it cannot be done, even for a single hash, which by design is irreversible. --Pete Pete Wenzel <pete@seebeyond.com> Senior Architect, SeeBeyond Standards & Product Strategy +1-626-471-6311 (US-Pacific)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]