Decoding WebSphere passwords
May 17th, 2011 Posted in security, technology, websphere, workOlder versions of IBM WebSphere encodes its passwords with a simple algorithm. These passwords are not encrypted and it has been known for long that decoding them is fairly simple. So far the presented methods did not always suit my needs, so I created yet another decoder. It is created in JavaScript for reasons I will describe below.
The most common way for decoding these password ‘hashes’ is relying on a website to perform the decoding for you. There are a few well-known sites which do just the trick. There is a little flaw in this method, as you cannot guarantee that your password is not stored on the server, making you just a bit vulnerable to attacks: They can store your IP and your password and can establish an attack with the info. Call me paranoia.
The other way is letting WebSphere itself decode the hash. The code is all there on the system, documented even on the IBM site, yet the method differs per installation and the commands can be a bit overcomplicated. It can be done and it is fail safe. But you need to run some java commands from the command-line, with many permutations in the final command. You need to construct it and I cannot give you a one-fits-all command.
The best solution in my opinion is to run it locally in a browser, without the hassle of figuring out the exact method. As the method is pretty simple it can be written in a little file and run locally and controlled. I have written such a JavaScript and you can use it to your liking. The most secure solution is to download the HTML-file (it is self-contained) and run it locally in your browser.
If you have just a little bit of healthy paranoia, you should download this HTML-file. Store it locally. Check it. And then use it. Just to ensure that nobody steals your passwords while decoding.
– update: now with encoder as well as decoder
It has a little form, pre-populated with the best known encoded password: WebAS.
You merely copy the hash in the source field (with or without {xor}) and click decode and voilĂ : your decoded password is there.
The decoding is done pretty straightforward: First the method is removed if it exists (the method is {xor}). The hash is than base64 decoded and each character is XORred against an underscore (ASCII 95). The result is your password. (Encoding is exactly the same, but in reverse order.)
A final remark: the weakness of these hashes is long known. That is why WebSphere no longer uses it for sensitive passwords (as of 6.1). This also means that you need to carefully protect your file systems if there are passwords stored. Not just encoded, but also hashed passwords in any form. This encoding is too simple but in theory all stored passwords could be a security hazard.
6 Responses to “Decoding WebSphere passwords”
By alex on May 26, 2011
very useful! Excellent work!
Thanks!
By alex on May 26, 2011
BTW, how can do in reversed way to encrypt a string for WAS to use?
By jzomer on Jun 1, 2011
Hi
I updated the WebSphere decoder to have an encoder as well. Just a few lines of code and some beautification! Please test it and use it to your liking.
By alex on Jun 2, 2011
Thanks! It works beautifully!
Very useful……….
By Andy Jones on Jun 17, 2011
prettier decoder here
http://www.poweredbywebsphere.com/decoder.html
By jzomer on Jun 18, 2011
Yeah, Andy
I made a link to yours. But who tells me you’re not simply storing all my passwords? Mine is fully controllable by anybody.. That is why I created mine.