[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisiting the SHA1 default password hash

To: openldap-devel@openldap.org
Subject: Re: Revisiting the SHA1 default password hash
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 24 Feb 2017 21:06:22 +0100
In-reply-to: <B4A6086DCB7954D816BB8528@[192.168.1.30]>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <B4A6086DCB7954D816BB8528@[192.168.1.30]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 SeaMonkey/2.46

Quanah Gibson-Mount wrote:
> I think it would be wise to update OpenLDAP to a different default for userPassword.  

Yes!

> We currently have the Contrib SHA2 module,

SHA-2 hashes with one round are also way too fast to be a good password hash algorithm.

> It may be time to move the SHA2 module into core,

Yes, but there should be something stronger.

How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Revisiting the SHA1 default password hash
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Revisiting the SHA1 default password hash
Next by Date: Re: Revisiting the SHA1 default password hash
Index(es):
- Chronological
- Thread