This post originated from an RSS feed registered with .NET Buzz by Scott Watermasysk. Original Post: Hashing Suggestions Feed Title: ScottW's ASP.NET WebLog Feed URL: /error.aspx?aspxerrorpath=/blog/rss.aspx Feed Description: ASP.NET and Blogging Latest .NET Buzz Posts Latest .NET Buzz Posts by Scott Watermasysk Latest Posts From ScottW's ASP.NET WebLog

Adrian Bateman posted a couple suggestions for WSE hashed password issue I wrote about a couple of days ago:

• In an enterprise application, you might be able to deploy PKI machine certificates with your client application. This gives you the opportunity to encrypt message including the UsernameToken and so the password can be sent without hashing.
• Over the Internet in a point-to-point infrastructure, you might choose to deploy the web service using SSL (HTTPS). Again this allows the password to be sent in the clear within the UsernameToken because the transport layer will take care of the encryption. This is non-ideal if you want to apply routing to the SOAP messages but might be an acceptable compromise.
• In a corporate environment you might be able to use Kerberos instead of UsernameTokens.
• You might choose to store the passwords with reversible encryption instead of salt/hash. This protects passwords from casual browsing of the password store but enables you to retrieve the original password and use the hashed option to UsernameToken.
• You might use an approach like Keith Brown's (linked above) and require manipulation of the password on the client before it is sent hashed.

At the moment, I am simply hashing my passwords on the client using the same algorithm I used to apply the initial hash. While this works, it does raise the bar for others to use this service.