Re: How to specify number of hashing iterations for a password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/15/2014 11:51 AM, Richard Mixon wrote:
Nathan/Rich,

Thank you both for the responses.

We are using the 389 Directory Server for a pretty isolated situation - authentication/authorization for external users on an "extranet" type portal website (it integrates pieces of several different web applications).

We don't really envision (famous last words, I know) using it on a broader basis.

Rich, I can understand why the pre-hashed passwords cause a lot of integration points to break. Is there a good alternative that still makes cracking your passwords prohibitively expensive?

Well, actually, yes - don't use passwords - use client certificate based authentication . . .


Nathan, I have a background in C, but do mostly Java these days. I will take a look at ticket 397 and get back to you if it's something I could work on. Can you provide me the pointers you were referring to?

Thank you - Richard



On Wed, Jan 15, 2014 at 11:25 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 01/15/2014 10:38 AM, Richard Mixon wrote:
During the bind process is there anyway to tell 389 directory server to hash a plaintext password n (multiple) times before trying to compare to what is stored?

I am trying to implement something similar to what's described in this article:
  http://www.stormpath.com/blog/strong-password-hashing-apache-shiro

Our plan was to to use SSHA256 to hash the passwords around 200,000 times before storing. This would at least slow down any cracking attempts should someone get access to our directory.

I've read through the documentation on the Red Hat Directory Server site, including the "Plug-in Guide". Under "5.8 Checking Passwords" it refers to calling function "slapi_pw_find_sv()" - looking at the doc for this function it does not look like hashing multiple times is supported.

Is there  some means of doing this that is not obvious to me?

No.


I can certainly do it by re-writing the security plugins for the various servers (Tomcat, PHP Wordpress, etc) such that they hash the plaintext password n minus 1 times before issuing the bind - but was hoping not to do that.

Use of pre-hashed passwords is strongly discouraged and will break things like sasl and replication.

Does this have anything to do with https://fedorahosted.org/389/ticket/397?


I'm relatively new to 389 directory server, but so far quite happy to have moved to it from another directory server.

Thank you - Richard

--
Richard Mixon
Custom Computer Creations, L.L.C.
mobile: (480) 577-6834 office: (480) 614-3442
email: rnmixon@xxxxxxxxxx <mailto:rnmixon@xxxxxxxxxx>
Microsoft Partner ID: 1263725 
The messages and documents transmitted with this notice contain confidential information belonging to the sender. If you are not the intended recipient of this information, you are hereby notified that any disclosure, copying, distribution or use of the information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. 


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Richard Mixon
Custom Computer Creations, L.L.C.
mobile: (480) 577-6834 office: (480) 614-3442
email: rnmixon@xxxxxxxxxx <mailto:rnmixon@xxxxxxxxxx>
Microsoft Partner ID: 1263725 
The messages and documents transmitted with this notice contain confidential information belonging to the sender. If you are not the intended recipient of this information, you are hereby notified that any disclosure, copying, distribution or use of the information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. 


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux