[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PHP: issues managing the password, what is wrong?
On Wed, Sep 30, 2009 at 3:51 AM, Jonathan Clarke
<jonathan@phillipoux.net> wrote:
> On 30/09/2009 11:54, Zdenek Styblik wrote:
>>
>> I'd say it depends on the type of leak of credentials - if database is
>> stolen, or password is sniffed through eg. http [web app] - in the first
>> case, hashed passwords will buy time; the second - it doesn't matter,
>> how's the password stored in LDAP - right?
>
> Several different cases here:
> 1) Database is stolen: the stronger the hash algorithm, the more time you
> buy.
> 2) Password is sniffed in plain text: hash-independant, since the attacker
> already has clear text password
> 3) Brute force attack by attempting to bind to LDAP server: if the hash only
> takes 8 characters into account, that makes brute-forcing a lot easier -
> limited number of possibilities. Other than that, hashes should be
> equivalent in this case, aside from server load.
>
> Of course, there are other considerations, such as password policy locks,
> password complexity and of course users with post-it notes.
>
> Back to the original topic though: the way a password is stored is really
> only the LDAP server's business. As Howard said, OpenLDAP uses SSHA by
> default - unless you notice some performance hit from that, there's no
> reason to change it.
>
> Jonathan
>
Guys I appreciated this help. Clarke I had found what I was locking
in the link u give me, it is clear and already
customize for me.
I have learn to much with this post, I had been searching around
without any luck, but now is more clear to me.
Thanks again for your help and acknolegde to all of u!!!
--
LIving the dream...