[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisiting the SHA1 default password hash

Quanah Gibson-Mount wrote:
> --On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder <michael@stroeder.com> wrote:
>> Quanah Gibson-Mount wrote:
>>> I think it would be wise to update OpenLDAP to a different default for
>>> userPassword.
>> Yes!
>>> We currently have the Contrib SHA2 module,
>> SHA-2 hashes with one round are also way too fast to be a good password
>> hash algorithm.
>>> It may be time to move the SHA2 module into core,
>> Yes, but there should be something stronger.
> Did you just skip entirely past the point where I said:
> "but there has been some discussion of the limitations of the current SHA2 module in
> the past that would likely need addressing"

Sorry, it seems I misread your sentence: I assumed you're talking about concrete
deficiencies of the implementation in ./contrib/slapd-modules/passwd/sha2.

I was referring to strength of password hashing scheme.

> And yes, perhaps PBKDF2 should be in core as well. ;)

Would be nice.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature