I’m bringing this back up because I had a conversation with someone else who referred to this. I think vargax knows all of this by now, but for anyone coming back to this topic because of searching for plaintext passwords or password hashes:
- UCS does not store user passwords in plaintext
- Base64 is not a hashing algorithm, but an encoding (one can easily decode it. Hashes are only one-way)
- Unsalted MD5 and SHA1 hashes are considered broken and should be treated as a security risk
Regarding the original problem:
I can understand those concerns, but I think it’s worth a second thought. I would rather expose the UCS SAML SSO Login page than syncing passwords that are either not encrypted (plaintext, base64) or use weak hashing algorithms (unsalted MD5/SHA1). To me, the latter sounds like a much more insecure choice.