Siebel Security Guide > Security Adapter Authentication >

About Password Hashing

User passwords or database credentials passwords can be hashed for greater security. This topic describes the password hashing options available with Siebel Business Applications.

Unlike encryption that involves two-way algorithms (encryption and decryption), hashing uses a one-way algorithm. A clear-text version of a password is hashed using a Siebel utility, then stored in the database or in an external directory such as LDAP or ADSI. During login, a clear-text version of a password is provided (such as by a user), which is then hashed and compared to the stored hashed password.

The password hashing options available with Siebel Business Applications are as follows:

• User password hashing. When you are using security adapter authentication (including database, LDAP or ADSI, or custom security adapters), user passwords can be hashed.

  An unexposed, hashed password is maintained for each user, while the user logs in with an unhashed (clear-text) version of the password. This password is hashed during login.

  Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel Business Applications and logging directly into the Siebel database using an RDBMS tool such as SQL*Plus. It also prevents passwords intercepted over the network from being used to access the applications, because an intercepted hashed password will itself be hashed when login is attempted, leading to a failed login.

• Database credentials password hashing. When you are using security adapter authentication other than database authentication (including LDAP or ADSI or custom security adapters), or using Web SSO authentication, database credentials passwords can be hashed.

  An unexposed, hashed password for a database account is maintained, while an unhashed (clear-text) version of the password is stored in the LDAP or ADSI external directory. This password is hashed during login.

  Credentials password hashing prevents users from being able to log into the Siebel database directly using a password obtained through unauthorized access to the external directory, because the unhashed password will not match the hashed version stored in the database.

• Password hashing utility. Siebel Business Applications provide a password hashing utility called hashpwd.exe which uses the RSA SHA-1 hashing algorithm by default. For existing customers, the Siebel proprietary hashing algorithm (the mangle algorithm) is also available as an option for the hashpwd.exe utility.

  NOTE:  New customers are required to use RSA-SHA1, and existing customers are strongly recommended to migrate to RSA-SHA1 promptly.

The following topics provide additional information about using password hashing with Siebel Business Applications:

• Overview of the Login Process When Password Hashing Is Enabled
• Process of Configuring User and Credentials Password Hashing
• Running the Password Hashing Utility

NOTE:  For information about managing encrypted passwords in the eapps.cfg file, see Managing Encrypted Passwords in the eapps.cfg File. The password encryption mechanism described there is unrelated to the password hashing mechanism described in this topic.