--On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
I think it would be wise to update OpenLDAP to a different default for userPassword.
Yes!
We currently have the Contrib SHA2 module,
SHA-2 hashes with one round are also way too fast to be a good password hash algorithm.
It may be time to move the SHA2 module into core,
Yes, but there should be something stronger.
Did you just skip entirely past the point where I said:
"but there has been some discussion of the limitations of the current SHA2 module in the past that would likely need addressing"
?? :)
The point of that sentence was to note that there are issues with the current SSHA2 module that would need fixing prior to moving it to core.
And yes, perhaps PBKDF2 should be in core as well. ;)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
I think it would be wise to update OpenLDAP to a different default for userPassword.
Yes!
We currently have the Contrib SHA2 module,
SHA-2 hashes with one round are also way too fast to be a good password hash algorithm.
It may be time to move the SHA2 module into core,
Yes, but there should be something stronger.
Did you just skip entirely past the point where I said:
"but there has been some discussion of the limitations of the current SHA2 module in the past that would likely need addressing"
Sorry, it seems I misread your sentence: I assumed you're talking about concrete deficiencies of the implementation in ./contrib/slapd-modules/passwd/sha2.
I was referring to strength of password hashing scheme.
And yes, perhaps PBKDF2 should be in core as well. ;)
Would be nice.
Ciao, Michael.
Michael Ströder wrote:
I was referring to strength of password hashing scheme.
And yes, I read your note about bcrypt. But I assumed that something which is already there and tested may be the most successful route for now.
Ciao, Michael.
-
Michael Ströder -
Quanah Gibson-Mount