How to decode Websphere passwords

Posted by Marcel Friedmann on 7:41 PM with No comments
WebSphere Application Server 8 / 8.5 XOR-encodes (not encrypts!) system passwords based on an underscore ("_") - and some additional base64.

To decode the passwords stored in WebSphere first get the xor-value from the <profile-root>/config/cells/<cell-name>/security.xml.

Switch to the command line and define the WAS_HOME-Variable
Also you need to define a Java CLASS-PATH containing the needed jars
The class PasswordDecoder acutally decodes the xor
$WAS_HOME/java/bin/java -cp $MYCLASSPATH {xor}NzozMzA=
Executing the last command should output the decoded password:
encoded password == "{xor}NzozMzA=", decoded password == "hello"
To dig a little more deeper i recommand this excellent ibm techjournal article:

[Images] Cover picture taken from
Categories: ,