Re: UsernameTokenManager and a hashed password database

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Dilip Krishnan (dkrishnan_at_NOSPAM.geniant.com)
Date: 12/30/04 

Date: Thu, 30 Dec 2004 12:55:25 -0800

Hello SA,
         Since yr datbase has hashed passwords, You're UsernameTokenManager
should be able to reconstruct the cleartext pwd based on the 'shared secret'
between token manager and the databaes hashing mechanism i.e. the SHA-1 and
salt value. This way the client just sends teh pwd in using the SendHashed
option
Check these resources for detailed discussions
http://dotnetjunkies.com/WebLog/josephcooney/archive/2004/07/13/19156.aspx
http://pluralsight.com/blogs/aaron/archive/2004/07/03/1529.aspx

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> Hi all,
>
> Forgive me if this question has been asked before ;o)
>
> Does anyone know of a way to get a custom UsernameTokenManager
> (receiving hashed passwords) to work if the password database itself
> is hashed?
>
> My password database is hashed with SHA-1 and the passwords are
> combined with a salt value before hashing.
>
> Otherwise, I am going to have to encrypt the passwords, but that's
> obviously not as secure...
>
> ---
>
> Sven.
>

Relevant Pages

  • Re: Hash MD5, Sha1 and Length
    ... For saving passwords on a database you need to use SHA-256, ... The salt prevents two people using the same password having the same ... hash and also stops an attacker pre-calculating hashes for commonly ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: [PHP] crypt salt question
    ... How did you do the comparison with the PG_SQL database?? ... But how did you compare passwords before, ... Subject: crypt salt question ...
    (php.general)
  • Re: Password authentication using unix crypt
    ... We have a database that contains all of the user ids and passwords. ... encrypted using unix crypt function. ... only one-character salt key, instead of two. ...
    (comp.unix.aix)
  • Re: Newbie Salt and Pass Phrase Question.
    ... users tend to choose passwords that are ... Then the attacker somehow ... This is where the salt comes in. ... precompute his big database any more. ...
    (sci.crypt)
  • Re: Newbie - Login Password Processing?
    ... The administrator can go around the office, or the stage of a fundraiser event, and enter the pass phrase for each computer connected to a common database, then the users can log themselves on. ... I have that function, password to salt and key, for the crypto pass phrase and I was just going to re-use it for the login pass phrase. ... I need to generate an IV to encrypt the columns of each row, and I need to extract that IV so I can decrypt each row, where should I get the IV? ...
    (sci.crypt)