Quanah Gibson-Mount quanah@symas.com schrieb am 13.01.2020 um 17:15 in
Nachricht <A3800A014D08046DDE90E71C@[192.168.1.144]>:
--On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 08.01.2020 um 03:05 in
Nachricht <CA17B510ABD069A7884B759C@[192.168.1.144]>:
--On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder michael@stroeder.com wrote:
AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider this to be rather irrelevant here.
Incorrect, it's clearly implemented in slapd. Whether it's enabled is a different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;)
In any case, I've been advocating for several years now to get rid of SSHA as the default hashing mechanism and replace it with something that may actually have some security value.
Is a "well-salted" SHA-1 really worse than a "poorely-salted" SHA-256? Isn't it all aboput the number of bits that have to be checked (brute-force)?
As Howard already noted, what we're looking for is something like Argon2, not further SSHA derivatives.
There may be a security benefit like going from paranoid to triple paranoid, but for real life I think users' poor passwords and the handling of those (keeping them in unsafe memory, fishing, post-it stickers, etc.) gives real attackers easier means go "get the password".
Regards, Ulrich