Decoding WebSphere passwords

Older versions of IBM WebSphere encodes its passwords with a simple algorithm. These passwords are not encrypted and it has been known for long that decoding them is fairly simple. So far the presented methods did not always suit my needs, so I created yet another decoder. It is created in JavaScript for reasons I will describe below.

The most common way for decoding these password ‘hashes’ is relying on a website to perform the decoding for you. There are a few well-known sites which do just the trick. There is a little flaw in this method, as you cannot guarantee that your password is not stored on the server, making you just a bit vulnerable to attacks: They can store your IP and your password and can establish an attack with the info. Call me paranoia.

The other way is letting WebSphere itself decode the hash. The code is all there on the system, documented even on the IBM site, yet the method differs per installation and the commands can be a bit overcomplicated. It can be done and it is fail safe. But you need to run some java commands from the command-line, with many permutations in the final command. You need to construct it and I cannot give you a one-fits-all command.

The best solution in my opinion is to run it locally in a browser, without the hassle of figuring out the exact method. As the method is pretty simple it can be written in a little file and run locally and controlled. I have written such a JavaScript and you can use it to your liking. The most secure solution is to download the HTML-file (it is self-contained) and run it locally in your browser.

If you have just a little bit of healthy paranoia, you should download this HTML-file. Store it locally. Check it. And then use it. Just to ensure that nobody steals your passwords while decoding.

— update: now with encoder as well as decoder

It has a little form, pre-populated with the best known encoded password: WebAS.
You merely copy the hash in the source field (with or without {xor}) and click decode and voilà: your decoded password is there.

The decoding is done pretty straightforward: First the method is removed if it exists (the method is {xor}). The hash is than base64 decoded and each character is XORred against an underscore (ASCII 95). The result is your password. (Encoding is exactly the same, but in reverse order.)

A final remark: the weakness of these hashes is long known. That is why WebSphere no longer uses it for sensitive passwords (as of 6.1). This also means that you need to carefully protect your file systems if there are passwords stored. Not just encoded, but also hashed passwords in any form. This encoding is too simple but in theory all stored passwords could be a security hazard.

 


22 responses to “Decoding WebSphere passwords”

  1. alex says:

    very useful! Excellent work!

    Thanks!

  2. alex says:

    BTW, how can do in reversed way to encrypt a string for WAS to use?

  3. jzomer says:

    Hi

    I updated the WebSphere decoder to have an encoder as well. Just a few lines of code and some beautification! Please test it and use it to your liking.

  4. alex says:

    Thanks! It works beautifully!
    Very useful……….

  5. jzomer says:

    Yeah, Andy 😉 I made a link to yours. But who tells me you’re not simply storing all my passwords? Mine is fully controllable by anybody.. That is why I created mine.

  6. Amit says:

    It worked effortlessly. Thanks a million !!!!

  7. Sidd says:

    this information is good.
    can I have please have this “Decoding WebSphere passwords”
    in Core java ?
    It really help full…
    thanks in advances

  8. Sidd says:

    Need core Java code to Decoding WebSphere password.
    (already you hava written in javascript).
    where I need to sent String in method and return decoded String.

    this will help a lot…
    thanks in advance.

  9. jzomer says:

    If you have read the article, you can see that IBM provided a Java Decoder themselves. The method differs per WebSphere version, so read carefully. I see no reason to build this in Java but be my guest!

  10. Sidd says:

    Thanks jzomer.
    I checked the IBM document but no luck, getting “No Found Error MSG”.

    Your JavaScript code is good for different Version as well. Thanks for sharing.

    Could you please help me to get java code?
    It really help full for me.
    Thanks again.

  11. Venkatesh says:

    Does it work for IBM WAS 7.0?

  12. jzomer says:

    It will work for all instances where a XOR-algoryth is used. However, the most important parts of security have been revised and no longer uses this algorrythm. IBM (rightfully) now uses a one-way hash.

  13. jzomer says:

    It does. However still only on XOR-schemed passwords. And there aren’t that many left. Certainly not useful ones. IBM had improved it’s password strength quite a bit since WAS6, so this tool becomes obsolete quite fast.

  14. Hari says:

    Thanks, But it does it didn’t works WS8.5 (windows)

    Dow you have a wayout for encrypting passwords WebSphere 8.5

  15. 95Louis says:

    Hi admin, i must say you have hi quality content here.
    Your website can go viral. You need initial traffic boost only.

    How to get it? Search for: Mertiso’s tips go viral

  16. kiran says:

    Excellent .Very useful

  17. FirstAlyce says:

    I have noticed you don’t monetize your blog, don’t waste your
    traffic, you can earn additional cash every month because you’ve
    got hi quality content. If you want to know how to make extra $$$, search for: Mrdalekjd methods for
    $$$

  18. Marcie Auge says:

    Please approve me

  19. Bernie says:

    Thanks for this. The standalone html page is great. I was not happy feeding lists of WebSphere XORED passwords into an on-line decoder. :-)

  20. Ajay says:

    Thanks a lot :) .

  21. BestAdrianna says:

    I have noticed you don’t monetize strelitzia.net,
    don’t waste your traffic, you can earn additional cash every month with new monetization method.

    This is the best adsense alternative for any type of website (they approve all sites), for more details simply search in gooogle:
    murgrabia’s tools

Leave a Reply

strelitzia.net