[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

On Wed, 2005-10-12 at 16:23 -0400, Jason Day wrote:
> On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
> > Thats is a hell of a lot better then sending the plaintext password to
> > LDAP.  I would want the LDAP server to send me an MD5 encrypted
> > password.
> 
> Sure it's better, but it's still not safe.  If someone is sniffing your
> network they can collect the password hashes and then do dictionary
> and/or brute force attacks offline.  If someone is using a weak password
> it's only marginally better than sending in the clear.  SSL would be
> much better, but of course on an embedded device you probably don't have
> the option to just install OpenSSL.
> 
> I think, and I'm not sure about this, that most LDAP servers do _not_
> return the password hash along with the other user data.  I think that
> the fact that Domino does do this is considered a security risk.
> Assuming this is the case, you will need to add a password hash record
> to every user object in order to return it.  Which, of course, will mean
> you have to worry about keeping them in sync whenever a user changes
> his/her password.
> 
> Jason



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00303" href="msg00303.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
<li><strong><a name="00305" href="msg00305.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
<li><strong><a name="00317" href="msg00317.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> meuon at geeklabs.com (Mike Harrison)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00269" href="msg00269.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00286" href="msg00286.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
<li><strong><a name="00294" href="msg00294.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00300" href="msg00300.html">[ale] How LDAP works with authentication</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00301.html">[ale] ISPs</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00304.html">[ale] How LDAP works with authentication</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00300.html">[ale] How LDAP works with authentication</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00303.html">[ale] How LDAP works with authentication</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00302"><strong>Date</strong></a></li>
<li><a href="threads.html#00302"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>