Password migration
When you use the API to create a user, you can provide a value for the user’s password attribute.
This capability supports plain text passwords that are encrypted when they are set, random
password generation by the service, and pre-defined encrypted hashes. IBM® Security Verify supports the following 1-way hash algorithms.
- Crypt
- Passwords are encrypted by the UNIX crypt encryption
algorithm before they are stored in the directory. Passwords with this hashing algorithm that are
imported via API must have the prefix
{Crypt}. - MD5
- Passwords are encrypted by the MD5 Message Digest algorithm before they are stored in the
directory. Passwords with this hashing algorithm that are imported via API must have the prefix
{MD5}. - SHA-1
- Passwords are encrypted by the SHA-1 encryption algorithm before they are stored in the
directory. Passwords with this hashing algorithm that are imported via API must have the prefix
{SHA1}. - Salted SHA-1
- Passwords are encrypted by the Salted SHA-1 encryption algorithm before they are stored in the
directory. Passwords with this hashing algorithm that are imported via API must have the prefix
{SSHA1}. - SHA-2
- Passwords are encrypted by the SHA-2 family of encryption algorithm before they are stored in
the directory. The following encryption schemes are supported under the SHA-2 family of encryption algorithm:
- SHA-224
- SHA-256
- SHA-384
- SHA-512
{SHA###}, where the numbers represent the SHA number value. - Salted SHA-2
- Passwords are encrypted by the Salted SHA-2 family of encryption algorithm before they are
stored in the directory. The following encryption schemes are supported under the Salted SHA-2
family of encryption algorithm:
- SSHA-224
- SSHA-256
- SSHA-384
- SSHA-512
{SSHA###}, where the numbers represent the SHA number value.
Note:
If you use the CSV import API, when you pass a hashed password make sure to escape any
“+” signs by replacing them with “%2B”.