[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: Paul Leach <paulle@microsoft.com>
Subject: Re: RFC2256: userPassword
From: Julio Sánchez Fernández <j_sanchez@stl.es>
Date: Thu, 01 Jul 1999 11:47:21 +0200
Cc: "'dboreham@netscape.com'" <dboreham@netscape.com>, " ietf-ldapext@netscape.com" <ietf-ldapext@netscape.com>
References: <CB6657D3A5E0D111A97700805FFE65870B48E406@RED-MSG-51>
Resent-date: Thu, 01 Jul 1999 02:46:18 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"gX5O-B.A.Ap.ijze3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Paul Leach wrote:

> And, offline parallelizable precomputed dictionary attacks, while vendor
> specific, are quite feasible.

Especially, when no salt is used ;-)  I know, I implemented last year such
thing.  Very instructive.

> Which is all I wanted to warn people about
> when this started. SHA and MD5 are NOT strong against this kind of attack.

It's deeper than that.  No style of user-keyable credential is strong enough
now.  Users don't provide enough entropy.  Password fields can be enlarged
as much as we want, but there is so much entropy people will use.  The
entropy used by the most security-conscious users is now at reach and it is
only getting worse.  By the hour.

Julio

Next by Date: Re: LDAP Tree Delete Control - draft-armijo-ldap-treedelete-01.txt
Index(es):
- Chronological
- Thread