One of the primary difficulties in directory integration is password synchronization. Most directories don't store clear passwords but rather a hash, or mathematical representation of a password that you can't easily trace back to the original password. Furthermore, a password is one of the rare attributes in a directory that is read-only, at least by general applications. Passwords are read-only because the only service that can actually read a password is the security service. Why is this point important? Because general directory synchronization services can't directly read passwords from most directories, and those directories that let synchronization services read them aren't secure enough to use as a master directory for password protection. Therefore, most directory synchronization options implement some form of redirection that intercepts password changes as administrators or users make them, then reflects those changes in the various directories the synchronization options integrate. Redirection requires administrative permission on all platforms for both the implementer and the directory-integration service. An example is Novell Directory Services (NDS) for NT, which replaces Windows NT's samsrv.dll and the SAM database on domain controllers to intercept password changes. The redirection problem is part of the wider security question surrounding system synchronization and the movement toward single sign-on (SSO). The primary problem is that if your synchronization or metadirectory solution is not secure, none of your managed directories can be secure.