>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am
13.01.2020 um 17:15 in
--On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl
>>>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am 08.01.2020 um
> Nachricht <CA17B510ABD069A7884B759C(a)[192.168.1.144]>:
>> --On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder
>> <michael(a)stroeder.com> wrote:
>>> AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider
>>> this to be rather irrelevant here.
>> Incorrect, it's clearly implemented in slapd. Whether it's enabled is a
>> different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;)
>> In any case, I've been advocating for several years now to get rid of
>> SSHA as the default hashing mechanism and replace it with something
>> that may actually have some security value.
> Is a "well-salted" SHA-1 really worse than a "poorely-salted"
> Isn't it all aboput the number of bits that have to be checked
As Howard already noted, what we're looking for is something like Argon2,
not further SSHA derivatives.
There may be a security benefit like going from paranoid to triple paranoid,
but for real life I think users' poor passwords and the handling of those
(keeping them in unsafe memory, fishing, post-it stickers, etc.) gives real
attackers easier means go "get the password".