[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy - password history

On Friday 19 January 2007 10:32, Andris.Eiduks@tietoenator.com wrote:
> Then do You recommend use only clearteaxt password from *client* side ?

If you store encrypted passwords in userPassword, and do simple binds, you 
*have* to send the cleartext password to authenticate. Sending it to change 
passwords is no additional disclosure.

Of course, if you use simple binds, you want to protect the transport 
(TLS/SSL) anyway (e.g. require all connections to be of a sufficient ssf, or 
have the ACLs on userPassword require a sufficient ssf).

> And if *client" perform password encryption, then password history must
> be stored and compared by * client* side soft ?

Yes, since the client could use different encryption types each time (and use 
the same password 3 or more times).


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgpssCQXteP7j.pgp
Description: PGP signature