[ale] How LDAP works with authentication
Christopher Fowler
cfowler at outpostsentinel.com
Wed Oct 12 16:51:54 EDT 2005
The question here is what is safer. Using SSL to transmit a plain-text
password or using SSL to transmit a password that is MD5 encrypted.
On Wed, 2005-10-12 at 16:23 -0400, Jason Day wrote:
> On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
> > Thats is a hell of a lot better then sending the plaintext password to
> > LDAP. I would want the LDAP server to send me an MD5 encrypted
> > password.
>
> Sure it's better, but it's still not safe. If someone is sniffing your
> network they can collect the password hashes and then do dictionary
> and/or brute force attacks offline. If someone is using a weak password
> it's only marginally better than sending in the clear. SSL would be
> much better, but of course on an embedded device you probably don't have
> the option to just install OpenSSL.
>
> I think, and I'm not sure about this, that most LDAP servers do _not_
> return the password hash along with the other user data. I think that
> the fact that Domino does do this is considered a security risk.
> Assuming this is the case, you will need to add a password hash record
> to every user object in order to return it. Which, of course, will mean
> you have to worry about keeping them in sync whenever a user changes
> his/her password.
>
> Jason
More information about the Ale
mailing list