>>> Quanah Gibson-Mount <[email protected]> schrieb am 13.01.2020 um 17:15 in Nachricht <A3800A014D08046DDE90E71C@[192.168.1.144]>:
> > --On Monday, January 13, 2020 12:09 PM +0100 Ulrich Windl > <[email protected]> wrote: > >>>>> Quanah Gibson-Mount <[email protected]> schrieb am 08.01.2020 um 03:05 >>>>> in >> Nachricht <CA17B510ABD069A7884B759C@[192.168.1.144]>: >> >>> >>> --On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder >>> <[email protected]> wrote: >>> >>>> AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider >>>> this to be rather irrelevant here. >>> >>> Incorrect, it's clearly implemented in slapd. Whether it's enabled is a >>> different question, as it's IFDEF'd behind SLAPD_AUTHPASSWD. ;) >>> >>> In any case, I've been advocating for several years now to get rid of >>> SSHA as the default hashing mechanism and replace it with something >>> that may actually have some security value. >> >> Is a "well-salted" SHA-1 really worse than a "poorely-salted" SHA-256? >> Isn't it all aboput the number of bits that have to be checked >> (brute-force)? > > As Howard already noted, what we're looking for is something like Argon2, > not further SSHA derivatives. There may be a security benefit like going from paranoid to triple paranoid, but for real life I think users' poor passwords and the handling of those (keeping them in unsafe memory, fishing, post-it stickers, etc.) gives real attackers easier means go "get the password". Regards, Ulrich
