[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: paulle@microsoft.com, gomez@lhola.engr.sgi.com
Subject: RE: RFC2256: userPassword
From: Robert Allen <robert.allen@eng.Sun.COM>
Date: Tue, 29 Jun 1999 10:58:08 -0700 (PDT)
Cc: Kurt@OpenLDAP.Org, ietf-ldapext@netscape.com
Content-md5: Ckw7MQ1BvyjTHR/Scfd+kg==
Resent-date: Tue, 29 Jun 1999 10:58:26 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"kF22sD.A.1dF.6kQe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Juan,
	The argument here is that having a bunch of world
readable passwords IS the same as having cleartext passwords
in todays world.  Running a few programs (which are presumably
either already on web sites, or would appear there the moment
someone detected this kind of weakness) is well within the effort which
even kiddie hackers are willing to expend.  After all, they have
nothing else to do.  World readable hashed passwords can also presumably
be stolen en-masse and divided among a group of enthusiasts for
faster cracking.

Robert Allen
rja@Eng.Sun.COM


>>Date: Tue, 29 Jun 1999 10:49:56 -0700 (PDT)
>>From: Gomez <gomez@lhola.engr.sgi.com>
>>Subject: RE: RFC2256: userPassword
>>Resent-sender: ietf-ldapext-request@netscape.com
>>To: Paul Leach <paulle@microsoft.com>
>>Cc: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, ietf-ldapext@netscape.com
>>MIME-version: 1.0
>>X-Loop: ietf-ldapext@netscape.com
>>X-Mailing-List: <ietf-ldapext@netscape.com>
>>
>>
>>Well at least you give the guys the work of runing the dictionary
>>attack...better than giving them the passwrod in the first place.
>>This also depends on the hash you are using some hash functions
>>may give them a real hard time....
>>
>>				Juan

Follow-Ups:
- RE: RFC2256: userPassword
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

Prev by Date: RE: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread