I've added this security consideration in response to your note below:
6.3.4. Hashed Password Security Considerations
Some authentication mechanisms (e.g. DIGEST-MD5) transmit a hash of the password value that may be vulnerable to offline dictionary attacks. Implementers should take care to protect such hashed password values during transmission using mechanisms similar to those suggested for protecting clear text passwords.
Roger
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 10/13/2005 1:54 pm >>> At 12:27 PM 10/13/2005, Hallvard B Furuseth wrote: >CRAM-MD5 seems to be the only alternative mechanism which is widely >enough deployed to suggest now. That mechanism apparently has its own >problems, though. So I suggest to keep the DIGEST-MD5 reference. I note that while CRAM-MD5 and DIGEST-MD5 don't expose the actual password, they do expose a hash of that password that is quite prone to offline dictionary attacks. I'd argue that you need to be just as careful as to whom you give that hash to as you are giving out the actual password. Kurt |