1. Security Guide
  2. About Password Hashing

About Password Hashing

This topic describes the password hashing options available with Siebel Business Applications. User passwords and database credentials passwords can be hashed for greater security. Hashing passwords is recommended.

Unlike encryption that involves two-way algorithms (encryption and decryption), hashing uses a one-way algorithm. A clear-text version of a password is hashed using a Siebel utility, then stored in the database or in an external directory such as LDAP. During login, a clear-text version of a password is provided (such as by a user), which is then hashed and compared to the stored hashed password.

The password hashing options available with Siebel Business Applications are as follows:

  • User password hashing. When you are using security adapter authentication (including database, LDAP, or custom security adapters), user passwords can be hashed.

    A hashed password is maintained for each user, while the user logs in with an unhashed (clear-text) version of the password. This password is hashed during login.

    Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel Business Applications and logging directly into the Siebel database using an RDBMS tool such as SQL*Plus. It also prevents passwords intercepted over the network from being used to access the applications, because an intercepted hashed password will itself be hashed when login is attempted, leading to a failed login.

  • Adding salt values to user passwords. In the current release, if you are using an LDAP or a custom security adapter you can choose to prefix a user’s password with a salt value (a random string) before the password is hashed. The result of the hash function and the salt value are then stored in the security adapter directory. During authentication, the user password supplied is prefixed with the stored salt value and hashing is applied. If this computed value matches the hash value in the directory, then the user is authenticated.

    Note: Adding salt values to user passwords is not supported if you are using Web Single Sign-On or database authentication. The Salt User Password parameter is ignored if the Configure Web Single Sign-On parameter is set to TRUE.

    Adding salt values to user passwords provides protection against dictionary attacks on the hashed passwords. By making passwords longer and more random, salt values lessen the likelihood that the hashed passwords can be deciphered. For additional information on the Salt User Password parameter, see Parameters for Configuring Security Adapter Authentication.

  • Database credentials password hashing. When you are using security adapter authentication other than database authentication (LDAP or custom security adapters), or if you are using Web SSO authentication, database credentials passwords can be hashed.

    A hashed password for a database account is maintained in the database, while an unhashed (clear-text) version of the password is stored in the external directory. This password is hashed and compared during database login.

    Credentials password hashing prevents users from being able to log into the Siebel database directly using a password obtained through unauthorized access to the external directory because the unhashed password in the directory will not match the hashed version stored in the database.

  • Password hashing utility. Siebel Business Applications provide a password hashing utility called hashpwd.exe which uses the RSA SHA-1 hashing algorithm by default. For existing customers, the Siebel proprietary hashing algorithm (the mangle algorithm) is also available as an option for the hashpwd.exe utility.

For information about managing encrypted passwords in Siebel Application Interface configuration, see Encrypted Passwords in Siebel Application Interface Profile Configuration. The password encryption mechanism described there is unrelated to the password hashing mechanism described in this topic.