Decoding WebSphere passwords
May 17th, 2011 Posted in security, technology, websphere, work
Older versions of IBM WebSphere encodes its passwords with a simple algorithm. These passwords are not encrypted and it has been known for long that decoding them is fairly simple. So far the presented methods did not always suit my needs, so I created yet another decoder. It is created in JavaScript for reasons I will describe below.
The most common way for decoding these password ‘hashes’ is relying on a website to perform the decoding for you. There are a few well-known sites which do just the trick. There is a little flaw in this method, as you cannot guarantee that your password is not stored on the server, making you just a bit vulnerable to attacks: They can store your IP and your password and can establish an attack with the info. Call me paranoia.
The other way is letting WebSphere itself decode the hash. The code is all there on the system, documented even on the IBM site, yet the method differs per installation and the commands can be a bit overcomplicated. It can be done and it is fail safe. But you need to run some java commands from the command-line, with many permutations in the final command. You need to construct it and I cannot give you a one-fits-all command.
The best solution in my opinion is to run it locally in a browser, without the hassle of figuring out the exact method. As the method is pretty simple it can be written in a little file and run locally and controlled. I have written such a JavaScript and you can use it to your liking. The most secure solution is to download the HTML-file (it is self-contained) and run it locally in your browser.
If you have just a little bit of healthy paranoia, you should download this HTML-file. Store it locally. Check it. And then use it. Just to ensure that nobody steals your passwords while decoding.
— update: now with encoder as well as decoder
It has a little form, pre-populated with the best known encoded password: WebAS.
You merely copy the hash in the source field (with or without {xor}) and click decode and voilà: your decoded password is there.
The decoding is done pretty straightforward: First the method is removed if it exists (the method is {xor}). The hash is than base64 decoded and each character is XORred against an underscore (ASCII 95). The result is your password. (Encoding is exactly the same, but in reverse order.)
A final remark: the weakness of these hashes is long known. That is why WebSphere no longer uses it for sensitive passwords (as of 6.1). This also means that you need to carefully protect your file systems if there are passwords stored. Not just encoded, but also hashed passwords in any form. This encoding is too simple but in theory all stored passwords could be a security hazard.


28 Responses to “Decoding WebSphere passwords”
By alex on May 26, 2011
very useful! Excellent work!
Thanks!
By alex on May 26, 2011
BTW, how can do in reversed way to encrypt a string for WAS to use?
By jzomer on Jun 1, 2011
Hi
I updated the WebSphere decoder to have an encoder as well. Just a few lines of code and some beautification! Please test it and use it to your liking.
By alex on Jun 2, 2011
Thanks! It works beautifully!
Very useful……….
By Andy Jones on Jun 17, 2011
prettier decoder here 🙂
http://www.poweredbywebsphere.com/decoder.html
By jzomer on Jun 18, 2011
Yeah, Andy 😉 I made a link to yours. But who tells me you’re not simply storing all my passwords? Mine is fully controllable by anybody.. That is why I created mine.
By Amit on Apr 6, 2012
It worked effortlessly. Thanks a million !!!!
By Sidd on May 18, 2012
this information is good.
can I have please have this “Decoding WebSphere passwords”
in Core java ?
It really help full…
thanks in advances
By Sidd on May 18, 2012
Need core Java code to Decoding WebSphere password.
(already you hava written in javascript).
where I need to sent String in method and return decoded String.
this will help a lot…
thanks in advance.
By jzomer on May 19, 2012
If you have read the article, you can see that IBM provided a Java Decoder themselves. The method differs per WebSphere version, so read carefully. I see no reason to build this in Java but be my guest!
By Sidd on May 21, 2012
Thanks jzomer.
I checked the IBM document but no luck, getting “No Found Error MSG”.
Your JavaScript code is good for different Version as well. Thanks for sharing.
Could you please help me to get java code?
It really help full for me.
Thanks again.
By Venkatesh on Jun 21, 2012
Does it work for IBM WAS 7.0?
By jzomer on Jul 2, 2012
It will work for all instances where a XOR-algoryth is used. However, the most important parts of security have been revised and no longer uses this algorrythm. IBM (rightfully) now uses a one-way hash.
By jzomer on Aug 20, 2012
It does. However still only on XOR-schemed passwords. And there aren’t that many left. Certainly not useful ones. IBM had improved it’s password strength quite a bit since WAS6, so this tool becomes obsolete quite fast.
By Hari on Dec 5, 2015
Thanks, But it does it didn’t works WS8.5 (windows)
Dow you have a wayout for encrypting passwords WebSphere 8.5
By 95Louis on Jul 29, 2017
Hi admin, i must say you have hi quality content here.
Your website can go viral. You need initial traffic boost only.
How to get it? Search for: Mertiso’s tips go viral
By kiran on Sep 15, 2017
Excellent .Very useful
By FirstAlyce on Oct 8, 2017
I have noticed you don’t monetize your blog, don’t waste your
traffic, you can earn additional cash every month because you’ve
got hi quality content. If you want to know how to make extra $$$, search for: Mrdalekjd methods for
$$$
By Marcie Auge on Dec 8, 2017
Please approve me
By Bernie on Feb 12, 2018
Thanks for this. The standalone html page is great. I was not happy feeding lists of WebSphere XORED passwords into an on-line decoder. 🙂
By Ajay on Jan 11, 2019
Thanks a lot 🙂 .
By BestAdrianna on Jul 31, 2019
I have noticed you don’t monetize strelitzia.net,
don’t waste your traffic, you can earn additional cash every month with new monetization method.
This is the best adsense alternative for any type of website (they approve all sites), for more details simply search in gooogle:
murgrabia’s tools
By طراحی سایت آژانس مسافرتی on Sep 18, 2020
من این نبا را خواندم و می توانم این
نبا را به دیگران کرب پیشنهاد کنم
By stephen on Sep 8, 2022
Very useful.
By Richard Nilsson on Jul 18, 2024
From https://www.kaggle.com/code/chinrichs/cs2021-xor-base64-exercise, the Python equivalent of this page is the following (use underscore as key):
from itertools import cycle
from base64 import b64encode, b64decode
def bytes_xor(a, b) :
return bytes(x ^ y for x, y in zip(a, b))
def encrypt(plaintext, key):
return b64encode(bytes_xor(plaintext.encode(), cycle(key.encode()))).decode()
def decrypt(ciphertext_b64, key):
ciphertext = b64decode(ciphertext_b64)
return bytes_xor(ciphertext, cycle(key.encode())).decode()
By Richard Nilsson on Jul 18, 2024
And in PHP, this is done as follows ($key=”_”):
<?php
function xor_string($string, $key) {
for($i = 0; $i
By Richard Nilsson on Jul 18, 2024
And in PHP, this is done as follows ($key=”_”):
function xor_string($string, $key) {
for($i = 0; $i < strlen($string); $i++)
$string[$i] = ($string[$i] ^ $key[$i % strlen($key)]);
return $string;
}
function encrypt($plainText, $key)
{
return base64_encode(xor_string($plainText, $key));
}
function decrypt($encryptedText, $key)
{
return xor_string(base64_decode($encryptedText), "_");
}
By Rahul Nalage on Aug 20, 2024
import lombok.extern.slf4j.Slf4j;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
@Slf4j
public class StarterApplication {
public static String xorString(String input, String key) {
byte[] inputBytes = input.getBytes(StandardCharsets.UTF_8);
byte[] keyBytes = key.getBytes(StandardCharsets.UTF_8);
byte[] outputBytes = new byte[inputBytes.length];
for (int i = 0; i < inputBytes.length; i++) {
outputBytes[i] = (byte) (inputBytes[i] ^ keyBytes[i % keyBytes.length]);
}
return new String(outputBytes, StandardCharsets.UTF_8);
}
public static String encrypt(String plainText, String key) {
String xorResult = xorString(plainText, key);
return Base64.getEncoder().encodeToString(xorResult.getBytes(StandardCharsets.UTF_8));
}
public static String decrypt(String encryptedText, String key) {
byte[] decodedBytes = Base64.getDecoder().decode(encryptedText);
String xorResult = new String(decodedBytes, StandardCharsets.UTF_8);
return xorString(xorResult, key);
}
public static void main(String[] args) {
String key = "_";
String plainText = "WebAS";
// Encryption
String encryptedText = encrypt(plainText, key);
System.out.println("Encrypted: " + encryptedText);
// Decryption
String decryptedText = decrypt(encryptedText, key);
System.out.println("Decrypted: " + decryptedText);
}
}