[389-users] How to specify number of hashing iterations for a password
Rich Megginson
rmeggins at redhat.com
Wed Jan 15 19:10:56 UTC 2014
On 01/15/2014 11:51 AM, Richard Mixon wrote:
> Nathan/Rich,
>
> Thank you both for the responses.
>
> We are using the 389 Directory Server for a pretty isolated situation
> - authentication/authorization for external users on an "extranet"
> type portal website (it integrates pieces of several different web
> applications).
>
> We don't really envision (famous last words, I know) using it on a
> broader basis.
>
> Rich, I can understand why the pre-hashed passwords cause a lot of
> integration points to break. Is there a good alternative that still
> makes cracking your passwords prohibitively expensive?
Well, actually, yes - don't use passwords - use client certificate based
authentication . . .
>
> Nathan, I have a background in C, but do mostly Java these days. I
> will take a look at ticket 397 and get back to you if it's something I
> could work on. Can you provide me the pointers you were referring to?
>
> Thank you - Richard
>
>
>
> On Wed, Jan 15, 2014 at 11:25 AM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 01/15/2014 10:38 AM, Richard Mixon wrote:
>> During the bind process is there anyway to tell 389 directory
>> server to hash a plaintext password n (multiple) times before
>> trying to compare to what is stored?
>>
>> I am trying to implement something similar to what's described in
>> this article:
>> http://www.stormpath.com/blog/strong-password-hashing-apache-shiro
>>
>> Our plan was to to use SSHA256 to hash the passwords around
>> 200,000 times before storing. This would at least slow down any
>> cracking attempts should someone get access to our directory.
>>
>> I've read through the documentation on the Red Hat Directory
>> Server site, including the "Plug-in Guide". Under "5.8 Checking
>> Passwords" it refers to calling function "slapi_pw_find_sv()" -
>> looking at the doc for this function it does not look like
>> hashing multiple times is supported.
>>
>> Is there some means of doing this that is not obvious to me?
>
> No.
>
>>
>> I can certainly do it by re-writing the security plugins for the
>> various servers (Tomcat, PHP Wordpress, etc) such that they hash
>> the plaintext password n minus 1 times before issuing the bind -
>> but was hoping not to do that.
>
> Use of pre-hashed passwords is strongly discouraged and will break
> things like sasl and replication.
>
> Does this have anything to do with
> https://fedorahosted.org/389/ticket/397?
>
>>
>> I'm relatively new to 389 directory server, but so far quite
>> happy to have moved to it from another directory server.
>>
>> Thank you - Richard
>>
>> --
>> Richard Mixon
>> Custom Computer Creations, L.L.C.
>> mobile: (480) 577-6834 <tel:%28480%29%20577-6834> office: (480)
>> 614-3442 <tel:%28480%29%20614-3442>
>> email: rnmixon at CustCo.biz <mailto:rnmixon at CustCo.biz>
>> <mailto:rnmixon at CustCo.biz <mailto:rnmixon at CustCo.biz>>
>> Microsoft Partner ID: 1263725
>> The messages and documents transmitted with this notice contain
>> confidential information belonging to the sender. If you are not
>> the intended recipient of this information, you are hereby
>> notified that any disclosure, copying, distribution or use of the
>> information is strictly prohibited. If you have received this
>> transmission in error, please notify the sender immediately.
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> Richard Mixon
> Custom Computer Creations, L.L.C.
> mobile: (480) 577-6834 office: (480) 614-3442
> email: rnmixon at CustCo.biz <mailto:rnmixon at CustCo.biz
> <mailto:rnmixon at CustCo.biz>>
> Microsoft Partner ID: 1263725
> The messages and documents transmitted with this notice contain
> confidential information belonging to the sender. If you are not the
> intended recipient of this information, you are hereby notified that
> any disclosure, copying, distribution or use of the information is
> strictly prohibited. If you have received this transmission in error,
> please notify the sender immediately.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140115/f9bf1d0d/attachment.html>
More information about the 389-users
mailing list