RE: RFC2256: userPassword

[Gomez <gomez@lhola.engr.sgi.com>]

Well at least you give the guys the work of runing the dictionary
attack...better than giving them the passwrod in the first place.
This also depends on the hash you are using some hash functions
may give them a real hard time....

				Juan

On Tue, 29 Jun 1999, Paul Leach wrote:

> Having world readable hashed passwords is almost as bad as having plaintext
> ones. In many authentication protocols, the hashed password is plaintext
> equivalent (i.e., lets you authenticated as the user whose password hash you
> have). In many other cases, checking the hash of 100,000 easy-to-remember
> variants of a few million "dictionary" words to see if they match a
> particular hashed password can be done in a few days by one computer. (1
> million checks per second is not infeasible.)
> 
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Tuesday, June 29, 1999 8:32 AM
> To: ietf-ldapext@netscape.com
> Subject: RFC2256: userPassword
> 
> 
> RFC2256 5.36 userPassword says "Passwords are stored using an
> Octet String syntax and are not encrypted."  However, it's
> common practice to store "encrypted" passwords in userPassword
> using a mechanism derived from RFC2307 (ie: userPassword: {method}hash).
> 
> For security considerations, I believe it unwise to ever maintain
> a cleartext userPassword.  I believe RFC2256 should be updated to
> read:
> 
>   Passwords are stored using an Octet String syntax and SHOULD be
>   encrypted.  ...
> 
> It would also be wise to standardize the syntax for encrypted
> userPassword representation (ie: replace Octet String with an
> appropriate syntax).
> 
> Kurt
>