3.2 User and Agent Password Authentication

The ZENworks Orchestrator Server stores all user and agent passwords in its data store as double-hashed strings. The single-hashed password sent by the user is hashed again with a random salt chosen by the server and compared to the stored double-hashed stored password stored by the server for authentication. This procedure prevents a stolen server data store (including passwords) that could be used to try to crack the passwords of user accounts on the server, or to use those passwords on other servers.

This also means that the “user hashed” (that is, the single-hashed) password is used as the actual password. Because the password is sent over an SSL connection, it is secure, but even so, the single-hashed password is best not stored on disk. The single hashing for user passwords is done so that users who use the same password for multiple applications and Web sites do not have their accounts compromised if their Orchestrator password is intercepted while they are browsing network traffic.

This method is also useful for agents, since agents need to store their authentication credentials to disk in order to start up automatically without user intervention. It allows administrators to use user-friendly passwords without compromising the actual password string by storing it to disk.