3.1 User and Administrator Password Hashing Methods

All passwords used in ZENworks Orchestrator are hashed using Secure Hash Alogrithm-1 (SHA-1). User passwords are hashed with the user name as a “salt” to increase the cost of dictionary-based and brute force password-cracking strategies. The “salt” is extra data, hashed with the user’s password and subsequently concatenated with the hashed password. The use of a salt prevents a password cracker from simply comparing intercepted hashed passwords against a large pre-hashed dictionary.

The “salt” is not secret, but rather written in plain text. ZENworks Orchestrator includes it in the hashed portion of the password and prepends it (again in plain text) to the hashed result, so that the Orchestrator Server can prepend it when testing the password. By using a salt, ZENworks Orchestrator requires an individual hash for each password check during a brute force attempt at cracking. This makes it far more expensive, computationally, to execute a security breach.

WARNING:The zosadmin command line and the ZENworks Orchestrator Console do not use SSL encryption, nor do they support TLS/SSL, so they should only be used over a secure network.

All agent and client connections support TLS encryption. This includes the zos command line and the ZENworks Orchestrator Agent.