Hi Kevin, This is what I found:
Password information from the ARS 6.3 Config. Guide (Page 54) Identifying password that the user enters when logging in to AR System. This field is limited to 29 characters. The Password field is encrypted into the database using a one-way hash (SHA1), so unauthorized users cannot retrieve passwords in clear text, for example, to log in to applications. To enhance system security, select a password that is different from one used for another purpose. If unsecure passwords are needed for applications, store the password in a character field rather than the Password field (field 102). If the password field is left blank, the AR System server will not validate the password with the user's Windows or UNIX password, unless you configure the server to cross-reference a blank password. For more information, see "Server information—configuration" on page 137. And knowledge base entry KM-000000010443 states that mid-tier forms pass the password to the mid-tier server in plaintext unless SSL is implemented (which we new). Marc Simmons Remedy Administrator On 6/14/07, Kevin Murray <[EMAIL PROTECTED]> wrote:
Hi All, Env: ARS 6.3/Mid-Tier 7.0 Clarification required on the dynamics of Remedy passwords...both user and system set... I believe the following statements to be TRUE since v6 onwards, if not please can you advise of what your understanding is: 1) From v6 onwards Remedy user passwords are now generated through a one-way MD-5 hash function when none of the of the encryption packages are used (including the standard package) What form are passwords sent from say a browser using the midtier component? 2) All other Remedy component passwords such as Application Service Password, Database User Password, LDAP Distinguised User Password etc are stored by the server (and Mid-tier component) using 56-bit DES encryption which incorporates salting Finally, what hash or encrypted form do user passwords take when passed to say the supplied AREA plugin from the ARSystem server in either SSL and non-SSL communication? I presume they are not sent over the wire in clear-text in either approach, but some level of security is incorporated, in such a manner that the LDAP server can understand the value passed. Any insights on this appreciated. Thanks In Advance, Kevin Ref: http://www.remedy.com/customers/dht/archive/03-15-2004.htm _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
-- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
