On Wed, Sep 30, 2009 at 3:51 AM, Jonathan Clarke
<jonathan(a)phillipoux.net> wrote:
On 30/09/2009 11:54, Zdenek Styblik wrote:
>
> I'd say it depends on the type of leak of credentials - if database is
> stolen, or password is sniffed through eg. http [web app] - in the first
> case, hashed passwords will buy time; the second - it doesn't matter,
> how's the password stored in LDAP - right?
Several different cases here:
1) Database is stolen: the stronger the hash algorithm, the more time you
buy.
2) Password is sniffed in plain text: hash-independant, since the attacker
already has clear text password
3) Brute force attack by attempting to bind to LDAP server: if the hash only
takes 8 characters into account, that makes brute-forcing a lot easier -
limited number of possibilities. Other than that, hashes should be
equivalent in this case, aside from server load.
Of course, there are other considerations, such as password policy locks,
password complexity and of course users with post-it notes.
Back to the original topic though: the way a password is stored is really
only the LDAP server's business. As Howard said, OpenLDAP uses SSHA by
default - unless you notice some performance hit from that, there's no
reason to change it.
Jonathan
Guys I appreciated this help. Clarke I had found what I was locking
in the link u give me, it is clear and already
customize for me.
I have learn to much with this post, I had been searching around
without any luck, but now is more clear to me.
Thanks again for your help and acknolegde to all of u!!!
--
LIving the dream...