[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP: issues managing the password, what is wrong?

To: openldap-technical@openldap.org
Subject: Re: PHP: issues managing the password, what is wrong?
From: Alberto Moreno <portsbsd@gmail.com>
Date: Wed, 30 Sep 2009 10:02:44 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=av87vYvZNTA1cwnxRPeSeEnfeM+f9b2k7O1MADwPtdw=; b=nuDeffHTyCLtI/DUD8seJhfB51zr/mjcJGUt97kGJ2pFlkzwg+WRU1B2wzCUkZb+ku qVrUIhnieU4Y1pyk5NEl4mLS9G7mJ9JTdPmzZzOduLyYetaWgLuBT+/YsgiDBQZ0PROU +aNlM971uMxMqMeRbJtiI6gVzacKdtkhI9EuA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=A7i/k3BxuYqeInhWwB9SVS5gjP1RqlAio3pMamGmBPEGt8/NG4lo+suBao8C6DV+eI cbAVCut3F9Wn7aTCQwZxbldp72utIzbsaooIng1MJ7qrhceacGdm/soMLNghVh+uIhgO B0CnEm/KoMDgy3tYaC2PCzNYEBFsMWkMfLaSg=
In-reply-to: <4AC33831.2060005@phillipoux.net>
References: <3ffefd920909291751n6d428c54q2ee0ffa6d40036c7@mail.gmail.com> <4AC2F003.7090405@turnovfree.net> <4AC3235B.7000900@phillipoux.net> <4AC32ABF.2030707@turnovfree.net> <4AC33831.2060005@phillipoux.net>

On Wed, Sep 30, 2009 at 3:51 AM, Jonathan Clarke
<jonathan@phillipoux.net> wrote:
> On 30/09/2009 11:54, Zdenek Styblik wrote:
>>
>> I'd say it depends on the type of leak of credentials - if database is
>> stolen, or password is sniffed through eg. http [web app] - in the first
>> case, hashed passwords will buy time; the second - it doesn't matter,
>> how's the password stored in LDAP - right?
>
> Several different cases here:
> 1) Database is stolen: the stronger the hash algorithm, the more time you
> buy.
> 2) Password is sniffed in plain text: hash-independant, since the attacker
> already has clear text password
> 3) Brute force attack by attempting to bind to LDAP server: if the hash only
> takes 8 characters into account, that makes brute-forcing a lot easier -
> limited number of possibilities. Other than that, hashes should be
> equivalent in this case, aside from server load.
>
> Of course, there are other considerations, such as password policy locks,
> password complexity and of course users with post-it notes.
>
> Back to the original topic though: the way a password is stored is really
> only the LDAP server's business. As Howard said, OpenLDAP uses SSHA by
> default - unless you notice some performance hit from that, there's no
> reason to change it.
>
> Jonathan
>

 Guys I appreciated this help. Clarke I had found what I was locking
in the link u give me, it is clear and already
customize for me.

  I have learn to much with this post, I had been searching around
without any luck, but now is more clear to me.

  Thanks again for your help and acknolegde to all of u!!!

-- 
LIving the dream...

References:
- PHP: issues managing the password, what is wrong?
  - From: Alberto Moreno <portsbsd@gmail.com>
- Re: PHP: issues managing the password, what is wrong?
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: PHP: issues managing the password, what is wrong?
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: PHP: issues managing the password, what is wrong?
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: PHP: issues managing the password, what is wrong?
  - From: Jonathan Clarke <jonathan@phillipoux.net>

Prev by Date: Re: Transfer LDAP Database to an other Server
Next by Date: Kerberos and LDAP
Index(es):
- Chronological
- Thread