[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Openldap support SHA-256 or SHA-3.

To: <michael@stroeder.com>,<quanah@symas.com>
Subject: Re: Antw: Re: Openldap support SHA-256 or SHA-3.
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Tue, 14 Jan 2020 09:12:58 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <A3800A014D08046DDE90E71C@[192.168.1.144]>
References: <CALm_Vjh4vgOBu8kZrJzRheAyqbZVL0OoE-nRAvc1z+nb-Eow9Q@mail.gmail. com> <67753E9A5A2A2945F035E0CC@192.168.1.144> <CALm_Vji=Mok7kkZ96+EEAu_Osw0rVjBANBrdejKFs=fEr--3HQ@mail.gmail.com> <1C6038D9E08BE216B90B3FF4@[192.168.1.144]> <7209ad32-c522-bc3e-e863-a5ff72c18e8b@stroeder.com> <7180359711BF1270F919BD53@[192.168.1.144]> <930e4cf3-240f-155e-1cbc-c74f68b9ba3e@stroeder.com> <CA17B510ABD069A7884B759C@[192.168.1.144]> <5E1C4FF9020000A1000363F4@gwsmtp.uni-regensburg.de> <A3800A014D08046DDE90E71C@[192.168.1.144]>

>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 13.01.2020 um 17:15 in
Nachricht <A3800A014D08046DDE90E71C@[192.168.1.144]>:

> 
> --On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl 
> <Ulrich.Windl@rz.uni-regensburg.de> wrote:
> 
>>>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 08.01.2020 um 03:05
>>>>> in
>> Nachricht <CA17B510ABD069A7884B759C@[192.168.1.144]>:
>>
>>>
>>> --On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder
>>> <michael@stroeder.com> wrote:
>>>
>>>> AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider
>>>> this to be rather irrelevant here.
>>>
>>> Incorrect, it's clearly implemented in slapd.  Whether it's enabled is a
>>> different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;)
>>>
>>> In any case, I've been advocating for several years now to get rid of
>>> SSHA  as the default hashing mechanism and replace it with something
>>> that may  actually have some security value.
>>
>> Is a "well-salted" SHA-1 really worse than a "poorely-salted" SHA-256?
>> Isn't it all aboput the number of bits that have to be checked
>> (brute-force)?
> 
> As Howard already noted, what we're looking for is something like Argon2, 
> not further SSHA derivatives.

There may be a security benefit like going from paranoid to triple paranoid,
but for real life I think users' poor passwords and the handling of those
(keeping them in unsafe memory, fishing, post-it stickers, etc.) gives real
attackers easier means go "get the password".

Regards,
Ulrich

Follow-Ups:
- Re: Antw: Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Antw: Re: Openldap support SHA-256 or SHA-3.
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Antw: Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Antw: Re: Openldap support SHA-256 or SHA-3.
Next by Date: Antw: Re: Replication account problem
Index(es):
- Chronological
- Thread