On 30/09/2009 11:54, Zdenek Styblik wrote:
I'd say it depends on the type of leak of credentials - if
database is
stolen, or password is sniffed through eg. http [web app] - in the first
case, hashed passwords will buy time; the second - it doesn't matter,
how's the password stored in LDAP - right?
Several different cases here:
1) Database is stolen: the stronger the hash algorithm, the more time
you buy.
2) Password is sniffed in plain text: hash-independant, since the
attacker already has clear text password
3) Brute force attack by attempting to bind to LDAP server: if the hash
only takes 8 characters into account, that makes brute-forcing a lot
easier - limited number of possibilities. Other than that, hashes should
be equivalent in this case, aside from server load.
Of course, there are other considerations, such as password policy
locks, password complexity and of course users with post-it notes.
Back to the original topic though: the way a password is stored is
really only the LDAP server's business. As Howard said, OpenLDAP uses
SSHA by default - unless you notice some performance hit from that,
there's no reason to change it.
Jonathan