Hello, I have several questions regarding PBKDF2 as password storage scheme, maybe someone can help? 1) Is it correct, that in the latest version the number of iterations for new hashes is not configurable, but determined dynamically based on calculations? 2) If yes: I think for compliance reasons it would be a good idea to add a configurable "minimum iterations" variable. This might slow down authentication but could help to enforce a minimum security level if required. Any comments? 3) Am I right, that if the current calculation results in higher "iterations number" than used before (e.g., at the time of a last password-change of a user), the hash remains unchanged until new passwort-change? The "Password Upgrade on Bind" (https://www.port389.org/docs/389ds/design/pwupgrade-on-bind.html) does not apply for "more iterations"? 4) If yes: This could be a valuable improvement as the general idea of PBKDF2 is to increase iteration count over time while hardware resources are growing. Any comments? Kind regards, Tobias Ernstberger
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
