[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: removal of DIGEST-MD5

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: authmeth: removal of DIGEST-MD5
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 13 Oct 2005 22:27:46 +0200
Cc: Roger Harrison <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.2.1.2.0.20051013124901.05a8e890@mail.openldap.org>
References: <434E57D0.DBA8.00BF.0@novell.com> <hbf.20051013n33g@bombur.uio.no> <6.2.1.2.0.20051013124901.05a8e890@mail.openldap.org>

Kurt D. Zeilenga writes:
> I note that while CRAM-MD5 and DIGEST-MD5 don't expose the
> actual password, they do expose a hash of that password that
> is quite prone to offline dictionary attacks.  I'd argue
> that you need to be just as careful as to whom you give
> that hash to as you are giving out the actual password.

Or not use passwords that resemble words in dictionaries?

Keep in mind that Unix DES crypt is still in use, though...

-- 
Hallvard

References:
- authmeth: removal of DIGEST-MD5
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth: removal of DIGEST-MD5
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth: removal of DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: authmeth: removal of DIGEST-MD5
Next by Date: Re: authmeth-15 notes
Index(es):
- Chronological
- Thread