Re: hashed password and UsernameTokenManager
- From: "Sami Vaaraniemi" <samivanospam@xxxxxxxxxxxxxxx>
- Date: Wed, 11 Jan 2006 12:44:43 +0200
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:BERz8onEGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
> Thanks for your response Phil,
>
> Yes, storing password hash is the best practice... However, the cleartext
> mentioned here is just what the value which is used to construct the
> UsernameToken at clientside... Because when it used usernametoken or
> derived token to encrypte or sign the message, we'll need the original
> cleartext value to construct the token key and decrypte the message....
> Thus, if your custom security database stores only password hash, you need
> to also use hashed password text to construct the username token...
Note that if you hash the password in the client by giving the hashed
password to UsernameToken, then the hashed password *becomes the password*.
If you do this, then IMO it is pointless to store the password hash in the
database.
Regards,
Sami
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
.
- Follow-Ups:
- Re: hashed password and UsernameTokenManager
- From: Phil Lee
- Re: hashed password and UsernameTokenManager
- References:
- hashed password and UsernameTokenManager
- From: Phil Lee
- Re: hashed password and UsernameTokenManager
- From: Pablo Cibraro
- Re: hashed password and UsernameTokenManager
- From: Steven Cheng[MSFT]
- Re: hashed password and UsernameTokenManager
- From: Phil Lee
- Re: hashed password and UsernameTokenManager
- From: Steven Cheng[MSFT]
- hashed password and UsernameTokenManager
- Prev by Date: Re: Calling a thirdparty Web service fails with Http error 401: Unauthorized
- Next by Date: Re: hashed password and UsernameTokenManager
- Previous by thread: Re: hashed password and UsernameTokenManager
- Next by thread: Re: hashed password and UsernameTokenManager
- Index(es):
Relevant Pages
|
