On Wed, Sep 30, 2009 at 3:51 AM, Jonathan Clarke jonathan@phillipoux.net wrote:
On 30/09/2009 11:54, Zdenek Styblik wrote:
I'd say it depends on the type of leak of credentials - if database is stolen, or password is sniffed through eg. http [web app] - in the first case, hashed passwords will buy time; the second - it doesn't matter, how's the password stored in LDAP - right?
Several different cases here:
- Database is stolen: the stronger the hash algorithm, the more time you
buy. 2) Password is sniffed in plain text: hash-independant, since the attacker already has clear text password 3) Brute force attack by attempting to bind to LDAP server: if the hash only takes 8 characters into account, that makes brute-forcing a lot easier - limited number of possibilities. Other than that, hashes should be equivalent in this case, aside from server load.
Of course, there are other considerations, such as password policy locks, password complexity and of course users with post-it notes.
Back to the original topic though: the way a password is stored is really only the LDAP server's business. As Howard said, OpenLDAP uses SSHA by default - unless you notice some performance hit from that, there's no reason to change it.
Jonathan
Guys I appreciated this help. Clarke I had found what I was locking in the link u give me, it is clear and already customize for me.
I have learn to much with this post, I had been searching around without any luck, but now is more clear to me.
Thanks again for your help and acknolegde to all of u!!!