[ACCEPTED]-How secure is your password in LDAP?-passwords

Accepted answer
Score: 14

Passwords are stored as hashed strings in 25 LDAP directories. OpenLDAP for example supports 24 the schemes salted SHA1 {SSHA}, crypt {CRYPT} (OS dependent), MD5 23 {MD5}, salted MD5 {SMD5} and SHA1 {SHA}. I think Active 22 Directory servers store some sort of LM 21 hash and/or NT hash.

Given that fact, storing 20 a password in an LDAP directory is not more 19 or less secure than storing the hashed password 18 (same hashing assumed) in a file or an SQL 17 database. Everyone who has direct access 16 to the underlying data structure can at 15 least read the hashed password value (if 14 the data is not additionally encrypted on 13 a file- oder filesystem-basis).

The decision 12 whether to use LDAP or some other kind of 11 account storage mechanism will surely not 10 be based on the fact of how secure the passwords 9 are stored. The decision will rather be 8 based on how the authentication will be 7 done and what other requirements you have 6 to fulfil. LDAP comes in handy when you 5 have to connect different clients to a central 4 authentication system (e.g. proprietary 3 software, email servers) or if you have 2 to integrate it into some KERBEROS or SASL 1 authentication scenario.

Score: 5

Passwords are as secure as the weakest link 17 between user and the location where the 16 password is stored. Basically, this means 15 that it's not only the way the password 14 is stored, that needs to be secured, but 13 also the connection lines between user and 12 storage. When server and communications 11 are secure, the weakest link often turns 10 out to be the user. (Because users sometimes 9 have the memory capacity of a pet rock.)

A 8 colleague of mine once lost his laptop and 7 he was quite worried that the thief would 6 access all the secret stuff on his system. As 5 it turned out, he had attached a small note 4 on his laptop with his password on it. And 3 unfortunately, he isn't the only person 2 in this world who just writes passwords 1 on a note next to their computer.

Score: 4

LDAP is a communication protocol, the way 43 the password is stored is pretty much up 42 to the directory system. See NTLM user authentication in Windows for what Windows 41 does for example.

The LAN Manager-compatible 40 password is compatible with the password 39 that is used by LAN Manager. This password 38 is based on the original equipment manufacturer 37 (OEM) character set. This password is 36 not case sensitive and can be up to 14 35 characters long. The OWF version of this 34 password is also known as the LAN Manager 33 OWF or ESTD version. This password is 32 computed by using DES encryption to encrypt 31 a constant with the clear text password. The 30 LAN Manager OWF password is 16 bytes long. The 29 first 7 bytes of the clear text password 28 are used to compute the first 8 bytes 27 of the LAN Manager OWF password. The second 26 7 bytes of the clear text password are used 25 to computer the second 8 bytes of the 24 LAN Manager OWF password.

The Windows password 23 is based on the Unicode character set. This 22 password is case sensitive and can be 21 up to 128 characters long. The OWF version 20 of this password is also known as the Windows 19 OWF password. This password is computed 18 by using the RSA MD-4 encryption algorithm. This 17 algorithm computes a 16-byte digest of 16 a variable-length string of clear text password 15 bytes.

It's not particularly super safe, but 14 Active Directory is usually implemented 13 with lockout after a few bad attempts, so 12 that's no so bad. In general, any code written 11 by a vendor is better than rolling out your 10 own.

It also depends how you are storing 9 your password in the database and what policies 8 are applied. Storing plain password unhashed 7 or unencrypted is terrible idea. Normally 6 a directory system takes care of that. AD 5 for example could also require password 4 complexity and prevent reuse of the same 3 password, etc.. Putting it into a file where 2 it's accessible to an attacker would be 1 bad idea.

Score: 3

As long as you do not expose your password 9 unencrypted on the network, it is just as 8 safe as storing hashed passwords in databases. Depending 7 on LDAP server implementations you can use 6 many different kinds of hashes.

OpenLDAP 5 offers CRYPT, MD5, SMD5, SSHA and SHA (according 4 to my man page).

In short, LDAP offers you 3 similar hashing capabilities as you would 2 have hashing the passwords yourself and 1 storing them in an SQL database.

More Related questions