[Date Prev][Date Next]
Re: Confused about md5 passwords
On Wed, Dec 12, 2001 at 11:15:45AM -0500, Harry Hoffman wrote:
> However when I use ngrep to watch the traffic between the application
> requesting autentication and the ldap db I see the password in clear text.
Unless you use LDAPv3 and TLS, that's true.
> Should this be happening? If so what purpose does moving to md5 present?
> Or is it just that should someone be able to grab the ldap passwords it
> will be more difficult to crack?
If somebody breaks into the LDAP repository & gets the stored values, then
deriving workable passwords for those MD5 hashes will be, hopefully,
prohibitively expensive. Right.
I am what I am 'cause I ain't what I used to be. - S Bruton & J Fleming