[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Openldap support SHA-256 or SHA-3.



>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 13.01.2020 um 17:15 in
Nachricht <A3800A014D08046DDE90E71C@[192.168.1.144]>:

> 
> --On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl 
> <Ulrich.Windl@rz.uni-regensburg.de> wrote:
> 
>>>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 08.01.2020 um 03:05
>>>>> in
>> Nachricht <CA17B510ABD069A7884B759C@[192.168.1.144]>:
>>
>>>
>>> --On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder
>>> <michael@stroeder.com> wrote:
>>>
>>>> AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider
>>>> this to be rather irrelevant here.
>>>
>>> Incorrect, it's clearly implemented in slapd.  Whether it's enabled is a
>>> different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;)
>>>
>>> In any case, I've been advocating for several years now to get rid of
>>> SSHA  as the default hashing mechanism and replace it with something
>>> that may  actually have some security value.
>>
>> Is a "well-salted" SHA-1 really worse than a "poorely-salted" SHA-256?
>> Isn't it all aboput the number of bits that have to be checked
>> (brute-force)?
> 
> As Howard already noted, what we're looking for is something like Argon2, 
> not further SSHA derivatives.

There may be a security benefit like going from paranoid to triple paranoid,
but for real life I think users' poor passwords and the handling of those
(keeping them in unsafe memory, fishing, post-it stickers, etc.) gives real
attackers easier means go "get the password".

Regards,
Ulrich