[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused about md5 passwords



On Wed, Dec 12, 2001 at 11:15:45AM -0500, Harry Hoffman wrote:

> However when I use ngrep to watch the traffic between the application
> requesting autentication and the ldap db I see the password in clear text.

Unless you use LDAPv3 and TLS, that's true.

> Should this be happening? If so what purpose does moving to md5 present?
> Or is it just that should someone be able to grab the ldap passwords it 
> will be more difficult to crack?

If somebody breaks into the LDAP repository & gets the stored values, then 
deriving workable passwords for those MD5 hashes will be, hopefully, 
prohibitively expensive. Right.

-Peter

-- 
I am what I am 'cause I ain't what I used to be. - S Bruton & J Fleming