Older versions of IBM WebSphere encodes its passwords with a simple algorithm. These passwords are not encrypted and it has been known for long that decoding them is fairly simple. So far the presented methods did not always suit my needs, so I created yet another decoder. It is created in JavaScript for reasons I will describe below.
The most common way for decoding these password ‘hashes’ is relying on a website to perform the decoding for you. There are a few well-known sites which do just the trick. There is a little flaw in this method, as you cannot guarantee that your password is not stored on the server, making you just a bit vulnerable to attacks: They can store your IP and your password and can establish an attack with the info. Call me paranoia.
The other way is letting WebSphere itself decode the hash. The code is all there on the system, documented even on the IBM site, yet the method differs per installation and the commands can be a bit overcomplicated. It can be done and it is fail safe. But you need to run some java commands from the command-line, with many permutations in the final command. You need to construct it and I cannot give you a one-fits-all command.
The best solution in my opinion is to run it locally in a browser, without the hassle of figuring out the exact method. As the method is pretty simple it can be written in a little file and run locally and controlled. I have written such a JavaScript and you can use it to your liking. The most secure solution is to download the HTML-file (it is self-contained) and run it locally in your browser.
If you have just a little bit of healthy paranoia, you should download this HTML-file. Store it locally. Check it. And then use it. Just to ensure that nobody steals your passwords while decoding.
— update: now with encoder as well as decoder
It has a little form, pre-populated with the best known encoded password: WebAS.
You merely copy the hash in the source field (with or without {xor}) and click decode and voilà: your decoded password is there.
The decoding is done pretty straightforward: First the method is removed if it exists (the method is {xor}). The hash is than base64 decoded and each character is XORred against an underscore (ASCII 95). The result is your password. (Encoding is exactly the same, but in reverse order.)
A final remark: the weakness of these hashes is long known. That is why WebSphere no longer uses it for sensitive passwords (as of 6.1). This also means that you need to carefully protect your file systems if there are passwords stored. Not just encoded, but also hashed passwords in any form. This encoding is too simple but in theory all stored passwords could be a security hazard.
very useful! Excellent work!
Thanks!
BTW, how can do in reversed way to encrypt a string for WAS to use?
Hi
I updated the WebSphere decoder to have an encoder as well. Just a few lines of code and some beautification! Please test it and use it to your liking.
Thanks! It works beautifully!
Very useful……….
prettier decoder here
http://www.poweredbywebsphere.com/decoder.html
Yeah, Andy 😉 I made a link to yours. But who tells me you’re not simply storing all my passwords? Mine is fully controllable by anybody.. That is why I created mine.
It worked effortlessly. Thanks a million !!!!
this information is good.
can I have please have this “Decoding WebSphere passwords”
in Core java ?
It really help full…
thanks in advances
Need core Java code to Decoding WebSphere password.
(already you hava written in javascript).
where I need to sent String in method and return decoded String.
this will help a lot…
thanks in advance.
If you have read the article, you can see that IBM provided a Java Decoder themselves. The method differs per WebSphere version, so read carefully. I see no reason to build this in Java but be my guest!
Thanks jzomer.
I checked the IBM document but no luck, getting “No Found Error MSG”.
Your JavaScript code is good for different Version as well. Thanks for sharing.
Could you please help me to get java code?
It really help full for me.
Thanks again.
Does it work for IBM WAS 7.0?
It will work for all instances where a XOR-algoryth is used. However, the most important parts of security have been revised and no longer uses this algorrythm. IBM (rightfully) now uses a one-way hash.
It does. However still only on XOR-schemed passwords. And there aren’t that many left. Certainly not useful ones. IBM had improved it’s password strength quite a bit since WAS6, so this tool becomes obsolete quite fast.
Thanks, But it does it didn’t works WS8.5 (windows)
Dow you have a wayout for encrypting passwords WebSphere 8.5
Hi admin, i must say you have hi quality content here.
Your website can go viral. You need initial traffic boost only.
How to get it? Search for: Mertiso’s tips go viral
Excellent .Very useful
I have noticed you don’t monetize your blog, don’t waste your
traffic, you can earn additional cash every month because you’ve
got hi quality content. If you want to know how to make extra $$$, search for: Mrdalekjd methods for
$$$
Please approve me
Thanks for this. The standalone html page is great. I was not happy feeding lists of WebSphere XORED passwords into an on-line decoder.
Thanks a lot
.
I have noticed you don’t monetize strelitzia.net,
don’t waste your traffic, you can earn additional cash every month with new monetization method.
This is the best adsense alternative for any type of website (they approve all sites), for more details simply search in gooogle:
murgrabia’s tools
من این نبا را خواندم و می توانم این
نبا را به دیگران کرب پیشنهاد کنم
Very useful.