[ale] How LDAP works with authentication

Jeff Hubbs hbbs at comcast.net
Wed Oct 12 12:59:58 EDT 2005


To be fair, I don't think that the md5 algorithm is an "encryption."  In 
any case, given that all SSLs in play are equal, it would be harder to 
recover a password from its md5sum through SSL than in plain text 
through SSL.

Christopher Fowler wrote:

>The question here is what is safer.  Using SSL to transmit a plain-text
>password or using SSL to transmit a password that is MD5 encrypted.
>
>
>On Wed, 2005-10-12 at 16:23 -0400, Jason Day wrote:
>  
>
>>On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
>>    
>>
>>>Thats is a hell of a lot better then sending the plaintext password to
>>>LDAP.  I would want the LDAP server to send me an MD5 encrypted
>>>password.
>>>      
>>>
>>Sure it's better, but it's still not safe.  If someone is sniffing your
>>network they can collect the password hashes and then do dictionary
>>and/or brute force attacks offline.  If someone is using a weak password
>>it's only marginally better than sending in the clear.  SSL would be
>>much better, but of course on an embedded device you probably don't have
>>the option to just install OpenSSL.
>>
>>I think, and I'm not sure about this, that most LDAP servers do _not_
>>return the password hash along with the other user data.  I think that
>>the fact that Domino does do this is considered a security risk.
>>Assuming this is the case, you will need to add a password hash record
>>to every user object in order to return it.  Which, of course, will mean
>>you have to worry about keeping them in sync whenever a user changes
>>his/her password.
>>
>>Jason
>>    
>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>




More information about the Ale mailing list