[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused about md5 passwords

To: Harry Hoffman <hhoffman@ip-solutions.net>
Subject: Re: Confused about md5 passwords
From: Peter W <peterw@usa.net>
Date: Wed, 12 Dec 2001 11:32:46 -0500
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <1008173745.3c1782b17416e@webmail.ip-solutions.net>; from hhoffman@ip-solutions.net on Wed, Dec 12, 2001 at 11:15:45AM -0500
References: <1008173745.3c1782b17416e@webmail.ip-solutions.net>
User-agent: Mutt/1.2.5i

On Wed, Dec 12, 2001 at 11:15:45AM -0500, Harry Hoffman wrote:

> However when I use ngrep to watch the traffic between the application
> requesting autentication and the ldap db I see the password in clear text.

Unless you use LDAPv3 and TLS, that's true.

> Should this be happening? If so what purpose does moving to md5 present?
> Or is it just that should someone be able to grab the ldap passwords it 
> will be more difficult to crack?

If somebody breaks into the LDAP repository & gets the stored values, then 
deriving workable passwords for those MD5 hashes will be, hopefully, 
prohibitively expensive. Right.

-Peter

-- 
I am what I am 'cause I ain't what I used to be. - S Bruton & J Fleming

References:
- Confused about md5 passwords
  - From: Harry Hoffman <hhoffman@ip-solutions.net>

Prev by Date: Confused about md5 passwords
Next by Date: Re: Confused about md5 passwords
Index(es):
- Chronological
- Thread