Re: UsernameTokenManager and a hashed password database
From: Softwaremaker (msdn_at_removethis.softwaremaker.net)
Date: 12/30/04
- Next message: RichardX: "Re: Questions about certificates"
- Previous message: Softwaremaker: "Re: UsernameTokenManager and a hashed password database"
- In reply to: Softwaremaker: "Re: UsernameTokenManager and a hashed password database"
- Next in thread: Dilip Krishnan: "Re: UsernameTokenManager and a hashed password database"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 31 Dec 2004 07:04:33 +0800
In other words, your SALT value is the password now...
-- Thank you. Regards, Softwaremaker http://www.softwaremaker.net/blog ========================================= "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message news:#qesvLs7EHA.2016@TK2MSFTNGP15.phx.gbl... > > Since yr datbase has hashed passwords, You're > UsernameTokenManager > > should be able to reconstruct the cleartext pwd based on the 'shared > secret' > > between token manager and the databaes hashing mechanism i.e. the SHA-1 > and > > salt value. This way the client just sends teh pwd in using the SendHashed > > option > > How do you reconstruct the cleartext pwd based on the 'shared secret' > between token manager and the databaes hashing mechanism i.e. the SHA-1 and > salt value ? Am I missing something ? The cleartext pwd shouldnt be in use > here and is definitely an unknown at the server-side database. > > Then you are using the hashed digest as the password which although doesnt > compromise the 'real' password, does make the hash no safer than storing the > passwords in clear text in the database. If a hacker steals the hash from > the database, nothing prevents him/her from writing a client that sends the > hash and thus he would authenticate successfully. This is exactly what the > hash scheme is trying to avoid in the first place. If used this way the hash > is no safer than storing the passwords in clear text in the database. > > "Dilip Krishnan" <dkrishnan@NOSPAM.geniant.com> wrote in message > news:69793632400153328730240@msnews.microsoft.com... > > Hello SA, > > Since yr datbase has hashed passwords, You're > UsernameTokenManager > > should be able to reconstruct the cleartext pwd based on the 'shared > secret' > > between token manager and the databaes hashing mechanism i.e. the SHA-1 > and > > salt value. This way the client just sends teh pwd in using the SendHashed > > option > > Check these resources for detailed discussions > > http://dotnetjunkies.com/WebLog/josephcooney/archive/2004/07/13/19156.aspx > > http://pluralsight.com/blogs/aaron/archive/2004/07/03/1529.aspx > > > > HTH > > Regards, > > Dilip Krishnan > > MCAD, MCSD.net > > dkrishnan at geniant dot com > > http://www.geniant.com > > > > > Hi all, > > > > > > Forgive me if this question has been asked before ;o) > > > > > > Does anyone know of a way to get a custom UsernameTokenManager > > > (receiving hashed passwords) to work if the password database itself > > > is hashed? > > > > > > My password database is hashed with SHA-1 and the passwords are > > > combined with a salt value before hashing. > > > > > > Otherwise, I am going to have to encrypt the passwords, but that's > > > obviously not as secure... > > > > > > --- > > > > > > Sven. > > > > > > > > >
- Next message: RichardX: "Re: Questions about certificates"
- Previous message: Softwaremaker: "Re: UsernameTokenManager and a hashed password database"
- In reply to: Softwaremaker: "Re: UsernameTokenManager and a hashed password database"
- Next in thread: Dilip Krishnan: "Re: UsernameTokenManager and a hashed password database"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
