On 30/09/2009 11:54, Zdenek Styblik wrote:
I'd say it depends on the type of leak of credentials - if database is stolen, or password is sniffed through eg. http [web app] - in the first case, hashed passwords will buy time; the second - it doesn't matter, how's the password stored in LDAP - right?
Several different cases here: 1) Database is stolen: the stronger the hash algorithm, the more time you buy. 2) Password is sniffed in plain text: hash-independant, since the attacker already has clear text password 3) Brute force attack by attempting to bind to LDAP server: if the hash only takes 8 characters into account, that makes brute-forcing a lot easier - limited number of possibilities. Other than that, hashes should be equivalent in this case, aside from server load.
Of course, there are other considerations, such as password policy locks, password complexity and of course users with post-it notes.
Back to the original topic though: the way a password is stored is really only the LDAP server's business. As Howard said, OpenLDAP uses SSHA by default - unless you notice some performance hit from that, there's no reason to change it.