12:50 p.m.
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc(a)symas.com>
wrote:
> Yes, but there should be something stronger.
>
> How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to
SHA3. There's a lot of crypto software out there already using it. pbkdf2
is still using SHA2.
Worthwhile to read over:
<https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016>
libsodium's a pretty trivial compile, I added it to Zimbra a while back for
another project.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6:17 p.m.
New subject: Revisiting the SHA1 default password hash
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 8:32 PM +0000 Howard Chu
<hyc(a)symas.com> wrote:
>> Yes, but there should be something stronger.
>>
>> How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
>
> Yeah at this point we can probably bypass SHA2 and just go straight to
> SHA3. There's a lot of crypto software out there already using it. pbkdf2
> is still using SHA2.
Worthwhile to read over:
<https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016>
Hm, where did these recommendations come from? They include Scrypt among their
recommendations, but there are Scrypt ASICs all over the web already making it
trivially hackable.
e.g. http://zoomhash.com/ (just google "scrypt asic" ...)
libsodium's a pretty trivial compile, I added it to Zimbra a while back for
another project.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:31 p.m.
New subject: Revisiting the SHA1 default password hash
On Sat, 2017-02-25 at 02:17 +0000, Howard Chu wrote:
Quanah Gibson-Mount wrote:
> --On Friday, February 24, 2017 8:32 PM +0000 Howard Chu <hyc@symas.
> com> wrote:
>
> > > Yes, but there should be something stronger.
> > >
> > > How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
> >
> > Yeah at this point we can probably bypass SHA2 and just go
> > straight to
> > SHA3. There's a lot of crypto software out there already using
> > it. pbkdf2
> > is still using SHA2.
>
> Worthwhile to read over:
> <https://paragonie.com/blog/2016/02/how-safely-store-password-in-20
> 16>
Hm, where did these recommendations come from? They include Scrypt
among their
recommendations, but there are Scrypt ASICs all over the web already
making it
trivially hackable.
e.g. http://zoomhash.com/ (just google "scrypt asic" ...)
>
> libsodium's a pretty trivial compile, I added it to Zimbra a while
> back for
> another project.
When I asked notable Kiwi security researcher Peter Gutmann on the
sidelines of Kiwicon about what to use if I ever imagined a Samba un-
shackled from the restrictions of Windows compatibility (the printed
conference program poked fun at AD for MD4), he strongly recommended
Argon2 as mentioned in the link above.
Either way, I'll follow this thread with interest, as I'm keen to have
a password hash in Samba that is both best-of-breed and shared between
modern OpenLDAP and Samba, for our administrators who need password
sync.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
1793
days inactive
1794
days old
2 comments
3 participants
participants (3)
-
Andrew Bartlett -
Howard Chu -
Quanah Gibson-Mount