Password Encryption

Applies To: SharePoint Server 2007 for Search, Windows Server 2008 R2, Windows Server 2012

Password encryption

A Windows-based computer can send and receive updated passwords to and from a UNIX-based computer as encrypted text only. The Password Synchronization single sign-on daemon (SSOD) receives the encrypted password and decrypts it before requesting the password change on the UNIX host. Similarly, if Password Synchronization is configured to support UNIX-to-Windows synchronization, the pluggable authentication module (PAM) encrypts the password before sending it to Password Synchronization on the Windows-based computer, which then decrypts the password before requesting the password change on the Windows-based computer.

The password can be successfully decrypted only if Password Synchronization and the SSOD or PAM module use the same encryption key to encrypt and decrypt the password. Before installing the SSOD on any UNIX computer, you must first set the default encryption key. You must then specify the same key in the sso.conf file when you install the SSOD on each UNIX host. This will ensure that Password Synchronization and the SSOD on the UNIX hosts will use the same encryption key. For more information about setting the default encryption key, see Setting the password encryption key. For information about installing and configuring the SSOD, see Install the Password Synchronization daemon on UNIX-based computers.

For added security, you can specify an encryption key that is used only between a particular Windows-based computer and a UNIX host. For information about configuring Password Synchronization to use a computer-specific encryption key, see Setting computer-specific synchronization properties. For information about setting the computer-specific encryption key on the UNIX computer, see use Use sso.conf to configure Password Synchronization on UNIX-based computers.

Encryption key requirements

The encryption key must meet the following requirements:

  • It must be 16 to 21 characters long (21 is recommended).

  • It must contain characters from at least three of the following four groups:

    • Uppercase English letters (A–Z)

    • Lowercase English letters (a–z)

    • Westernized Arabic numerals (0–9)

    • Punctuation symbols ` ~ ! @ # $ % ^ & * _ – + = | \ { } [ ] : ; \ " ' < > . ?

  • It must not contain a left or right parentheses (that is a "(" or ")" character), a comma (,), or a blank space ( ).