New subject: Revisiting the SHA1 default password hash

Friday, 24 February 2017

--On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder 
<michael(a)stroeder.com&gt; wrote:

...
 Quanah Gibson-Mount wrote:
> I think it would be wise to update OpenLDAP to a different default for
> userPassword.

 Yes!

> We currently have the Contrib SHA2 module,

 SHA-2 hashes with one round are also way too fast to be a good password
 hash algorithm.

> It may be time to move the SHA2 module into core,

 Yes, but there should be something stronger. 
Did you just skip entirely past the point where I said:

"but there has been some discussion of the limitations of the current SHA2 
module in the past that would likely need addressing"

?? :)

The point of that sentence was to note that there are issues with the 
current SSHA2 module that would need fixing prior to moving it to core.

And yes, perhaps PBKDF2 should be in core as well. ;)

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: Revisiting the SHA1 default password hash