User Password Hashing with WSO2 Identity Server (WSO2IS)

If you are storing end user passwords, It must be stored as hashed value.. not as encrypted or plain text. Because; once it is stored as hashed, it is hard to find the actual password out of it. So, it is guarantee more security for your end users.

Let see how we can properly configure WSO2 Identity Server to hash the passwords.

WSO2 IS can be connected with two main types of user store implementations i.e JDBC based user stores and LDAP based user stores. Password hashing configurations and methods would be changed based on the connected user store.

Storing passwords in JDBC user stores


When you have enabled the JDBC user store of WSO2 IS (or any other Carbon based products), user passwords are stored as salted hashed by default.

There are two user store configuration properties that governs the password storing which are followings.

<Property name="PasswordDigest">SHA-256</Property>
 <Property name="StoreSaltedPassword">true</Property>

PasswordDigest property can be used to define the algorithm.. All the algorithms which are supported by JAVA can be used here. Please check the supported algorithms by JAVA 7 from here.

Please note, If you just configure as SHA , It is consider as SHA-1

It is always better to configure algorithm with higher bit value as digest bit size would be  increased.

SHA-1 password

SHA-512 password

Storing Salted Hash Passwords


As mentioned, by default WSO2IS stores the password with salted value. It is said that the best way to protect passwords is to employ the salted password hashing. Once it is salted, Dictionary and Brute Force Attacks against the passwords would be more difficult.

As an simple example, if we set following property to false

<Property name="StoreSaltedPassword">false</Property>

Passwords would be hashed without a slated value. If two users (bob and alice) have the same password, they would be stored as same hashed value.

But, if salted password is used, WSO2IS would add some random value to password and generate the hash of it. Therefore if two users have same passwords, they would be stored as different hashed values which is more secure and recommended way to do it.

Storing passwords in LDAP user stores


Most of the LDAP servers (such as OpenLdap, OpenDJ, AD, ApacheDS and etc..) are supported to store password as salted hashed values (SSHA)

Therefore WSO2IS server just wants to feed password in to the connected user store as plain text value. Then LDAP user store can stored them as salted hashed value. To feed the plain text in to the LDAP server, you need to configure following user store property with value “PLAIN_TEXT”

<Property name="PasswordHashMethod">PLAIN_TEXT</Property>

But; if your LDAP does not support to store user password as hashed values. You can configure WSO2IS to hash the password and feeds the hashed password in to the LDAP server. Then you need to configure PasswordHashMethod property with SHA (SHA-1), SHA-256, SHA-512.. Basically All the message digest algorithms which are supported by JAVA can be used here.

<Property name="PasswordHashMethod">SHA</Property>

Please note that, WSO2IS can not create a salted hashed password (SSHA) to feed in to the LDAP. Therefore, if you are using a LDAP server, the best way is to configure your LDAP server to store password as SSHA.

In theory; when you are using LDAP server with WSO2IS. Please configure your LDAP to store password as SSHA and then configure the “PasswordHashMethod” property to “PLAIN_TEXT”
Thanks for reading…!!!