--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu hyc@symas.com wrote:
Yes, but there should be something stronger.
How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2.
Worthwhile to read over: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
libsodium's a pretty trivial compile, I added it to Zimbra a while back for another project.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu hyc@symas.com wrote:
Yes, but there should be something stronger.
How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2.
Worthwhile to read over: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
Hm, where did these recommendations come from? They include Scrypt among their recommendations, but there are Scrypt ASICs all over the web already making it trivially hackable.
e.g. http://zoomhash.com/ (just google "scrypt asic" ...)
libsodium's a pretty trivial compile, I added it to Zimbra a while back for another project.
On Sat, 2017-02-25 at 02:17 +0000, Howard Chu wrote:
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc@symas. com> wrote:
Yes, but there should be something stronger.
How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2.
Worthwhile to read over: https://paragonie.com/blog/2016/02/how-safely-store-password-in-20 16
Hm, where did these recommendations come from? They include Scrypt among theirĀ recommendations, but there are Scrypt ASICs all over the web already making itĀ trivially hackable.
e.g. http://zoomhash.com/%C2%A0%C2%A0(just google "scrypt asic" ...)
libsodium's a pretty trivial compile, I added it to Zimbra a while back for another project.
When I asked notable Kiwi security researcher Peter Gutmann on the sidelines of Kiwicon about what to use if I ever imagined a Samba un- shackled from the restrictions of Windows compatibility (the printed conference program poked fun at AD for MD4), he strongly recommended Argon2 as mentioned in the link above.
Either way, I'll follow this thread with interest, as I'm keen to have a password hash in Samba that is both best-of-breed and shared between modern OpenLDAP and Samba, for our administrators who need password sync.
Andrew Bartlett
-
Andrew Bartlett -
Howard Chu -
Quanah Gibson-Mount