[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Revisiting the SHA1 default password hash

To: Michael Ströder <michael@stroeder.com>, openldap-devel@openldap.org
Subject: Re: Revisiting the SHA1 default password hash
From: Howard Chu <hyc@symas.com>
Date: Fri, 24 Feb 2017 20:32:35 +0000
In-reply-to: <WM!68af734acd6f844fa34c87273fb1ed9f4e6f09b89b52853f29e034d6c6362863e9c83ac420defb43eeab71fe573b25c5!@mailstronghold-3.zmailcloud.com>
References: <B4A6086DCB7954D816BB8528@[192.168.1.30]> <2ec6af76-ca87-5694-e0ed-3e8e572c5f4a@stroeder.com> <WM!68af734acd6f844fa34c87273fb1ed9f4e6f09b89b52853f29e034d6c6362863e9c83ac420defb43eeab71fe573b25c5!@mailstronghold-3.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Michael Ströder wrote:

Quanah Gibson-Mount wrote:

I think it would be wise to update OpenLDAP to a different default for userPassword.


Yes!

We currently have the Contrib SHA2 module,


SHA-2 hashes with one round are also way too fast to be a good password hash algorithm.

It may be time to move the SHA2 module into core,


Yes, but there should be something stronger.

How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?

Yeah at this point we can probably bypass SHA2 and just go straight to SHA3.There's a lot of crypto software out there already using it. pbkdf2 is stillusing SHA2.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Revisiting the SHA1 default password hash
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Revisiting the SHA1 default password hash
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Revisiting the SHA1 default password hash
Next by Date: Re: Revisiting the SHA1 default password hash
Index(es):
- Chronological
- Thread