Hi All, Knowing that Password Reset challenge answers are stored at DB with hash value. i'm worry about, it is a way or possible the hash value can be crack? If not, how actually it work?tw

From a developers perspective the hash is normally one way so you cannot decrypt it or something like that. However the application can hash the provided answer and check if both hashes match (because the will result in the same hash, if the correct key & salt is used to generate the hash) not sure how FIM does this but i presume something like that. The answers are stored in SHA256 so it should be prety safe Need realtime FIM synchronization? check out the new http://www.traxionsolutions.com/imsequencer that supports FIM 2010 and Omada Identity Manager real time synchronization!

Hi Paul, I'm not very understand the statement " However the application can hash the provided answer and check if both hashes match" Do you mind to eloborate more? or any article can i refer to?tw

That's just how hashing works: the application has access to the hashed secrects from when the user registered his answers. Because the end user specifies his answers in the reset form, the application can hash those answer again and see if the resulting hash matches what it had from during the registration. However if one would take the hash you cannot just "export" the answers from them...http://setspn.blogspot.com

That's just how hashing works: the application has access to the hashed secrects from when the user registered his answers. Because the end user specifies his answers in the reset form, the application can hash those answer again and see if the resulting hash matches what it had from during the registration. However if one would take the hash you cannot just "export" the answers from them...http://setspn.blogspot.com

Hashing is a mathematical function that for a given input, would return the same output. e.g. SHA256("A") would always give the same output. (However, notice it is possible to find two inputs which would give the same output) There is no known way to turn a output back to its input. given input $x and $y, if ($x==$y) then SHA256($x) == SHA256($y) Since we store the hashed answer, we compare the user input by hashing the input again and compare the hashed outputThe FIM Password Reset Blog http://blogs.technet.com/aho/

Hashing is a mathematical function that for a given input, would return the same output. e.g. SHA256("A") would always give the same output. (However, notice it is possible to find two inputs which would give the same output) There is no known way to turn a hashed output back to its input using a non-brute-force approach. given input $x and $y, if ($x==$y) then SHA256($x) == SHA256($y) Since we store the hashed answer, we compare the user input by hashing the input again and compare the hashed output The FIM Password Reset Blog http://blogs.technet.com/aho/