[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: RFC2256: userPassword
RE>>RFC2256: userPassword
> The argument here is that having a bunch of world readable passwords IS
> the same as having cleartext passwords in todays world. Running a few
> programs (which are presumably either already on web sites, or would
> appear there the moment someone detected this kind of weakness) is well
> within the effort which even kiddie hackers are willing to expend.
> After all, they have nothing else to do. World readable hashed
> passwords can also presumably be stolen en-masse and divided among a
> group of enthusiasts for faster cracking.
Why are they world-readable in the first place? I figured authentication
(of users on behalf of other services) would be done with an LDAP Compare
operation, and that you would have the userPassword attribute not readable
but only Compare-able. A dictonary attack would still be possible, but
would require going through the LDAP server for every possible value.
Paul Collins
One Click Systems
** One Click Systems http://www.oneclick.com/ info@oneclick.com **
** ClickMail Central Directory - master address book - LDAP server **
** Chat with us--Wednesdays 10AM Pacific/1PM EST (www.oneclick.com) **