[ale] How LDAP works with authentication
Jeff Hubbs
hbbs at comcast.net
Wed Oct 12 12:59:58 EDT 2005
To be fair, I don't think that the md5 algorithm is an "encryption." In
any case, given that all SSLs in play are equal, it would be harder to
recover a password from its md5sum through SSL than in plain text
through SSL.
Christopher Fowler wrote:
>The question here is what is safer. Using SSL to transmit a plain-text
>password or using SSL to transmit a password that is MD5 encrypted.
>
>
>On Wed, 2005-10-12 at 16:23 -0400, Jason Day wrote:
>
>
>>On Wed, Oct 12, 2005 at 03:22:15PM -0400, Christopher Fowler wrote:
>>
>>
>>>Thats is a hell of a lot better then sending the plaintext password to
>>>LDAP. I would want the LDAP server to send me an MD5 encrypted
>>>password.
>>>
>>>
>>Sure it's better, but it's still not safe. If someone is sniffing your
>>network they can collect the password hashes and then do dictionary
>>and/or brute force attacks offline. If someone is using a weak password
>>it's only marginally better than sending in the clear. SSL would be
>>much better, but of course on an embedded device you probably don't have
>>the option to just install OpenSSL.
>>
>>I think, and I'm not sure about this, that most LDAP servers do _not_
>>return the password hash along with the other user data. I think that
>>the fact that Domino does do this is considered a security risk.
>>Assuming this is the case, you will need to add a password hash record
>>to every user object in order to return it. Which, of course, will mean
>>you have to worry about keeping them in sync whenever a user changes
>>his/her password.
>>
>>Jason
>>
>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
>
More information about the Ale
mailing list