[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: Robert Allen <robert.allen@eng.sun.com>, " gomez@lhola.engr.sgi.com" <gomez@lhola.engr.sgi.com>, " paulle@microsoft.com" <paulle@microsoft.com>
Subject: Re: RFC2256: userPassword
From: Paul Collins <paul@oneclick.com>
Date: Tue, 29 Jun 1999 11:51:51 -0700
Cc: " ietf-ldapext@netscape.com" <ietf-ldapext@netscape.com>, " Kurt@OpenLDAP.Org" <kurt@openldap.org>
Mail-system-version: ClickMail 2.0b1
Resent-date: Tue, 29 Jun 1999 11:50:25 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"vPUkSB.A.uiF.mVRe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

                 RE>>RFC2256: userPassword
> 	The argument here is that having a bunch of world readable passwords IS
> the same as having cleartext passwords in todays world.  Running a few
> programs (which are presumably either already on web sites, or would
> appear there the moment someone detected this kind of weakness) is well
> within the effort which even kiddie hackers are willing to expend. 
> After all, they have nothing else to do.  World readable hashed
> passwords can also presumably be stolen en-masse and divided among a
> group of enthusiasts for faster cracking.

Why are they world-readable in the first place? I figured authentication
(of users on behalf of other services) would be done with an LDAP Compare
operation, and that you would have the userPassword attribute not readable
but only Compare-able. A dictonary attack would still be possible, but
would require going through the LDAP server for every possible value.

Paul Collins
One Click Systems


** One Click Systems   http://www.oneclick.com/   info@oneclick.com **
** ClickMail Central Directory - master address book - LDAP server  **
** Chat with us--Wednesdays 10AM Pacific/1PM EST (www.oneclick.com) **

Follow-Ups:
- Re: RFC2256: userPassword
  - From: dboreham@netscape.com (David Boreham)

Prev by Date: RE: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread