[Date Prev][Date Next] [Chronological] [Thread] [Top]

Revisiting the SHA1 default password hash

To: openldap-devel@openldap.org
Subject: Revisiting the SHA1 default password hash
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Fri, 24 Feb 2017 11:58:26 -0800
Content-disposition: inline

The general weakness of SHA has been understood for some time, althoughprogress advances on finding collisions (Such as<https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1>).

I think it would be wise to update OpenLDAP to a different default foruserPassword. We currently have the Contrib SHA2 module, and there's anice bcrypt(*) module on Github (I asked the author if they would bewilling to contribute it, but they seem to have gone silent).

It may be time to move the SHA2 module into core, but there has been somediscussion of the limitations of the current SHA2 module in the past thatwould likely need addressing.


What do other folks think?

* <https://github.com/wclarie/openldap-bcrypt/issues/1>

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Revisiting the SHA1 default password hash
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ITS8529 -- Inclusion in RE24?
Next by Date: Re: Revisiting the SHA1 default password hash
Index(es):
- Chronological
- Thread