Re: [bitfolk] Password hashes, was Re: Please log in...

Hi Martijn, On Sat, Dec 29, 2018 at 07:58:50PM +0000, Martijn Grooten wrote: Okay, I accept in the general case that this might be true, but in BitFolk's specific case we have multiple different off the shelf software packages all authenticating using LDAP and I need OpenLDAP's own password routines to be able to manage password checks and changing. So, that does limit me to the hashing schemes supported by OpenLDAP, which I don't think would include putting multiple different old hash schemes into a new hash scheme. As far as I know, to do what you're suggesting I would either need to write a module for OpenLDAP so it could migrate in that way, or else have every application do it and have them send/read the raw hashes from LDAP for update/comparison. Both of those seem like huge projects so I am afraid I have had to ask people to simply log in again, in the interests of having this done in a reasonable time frame. I suspect that most companies would have just silently let the hashes upgrade over time (by people logging in / resetting their passwords without prompting), or else would have forced it by invalidating everyone's passwords. There are other things I would do differently if writing a bespoke app or set of tightly coupled apps. For example, I think ARGON2 is probably the best key derivation function to be using right now, and would be easy to implement in a single bespoke app, but has no support in OpenLDAP nor in glibc crypt(3), so it has not been an option. In my recent research I have even found OpenLDAP developers recommending that people use 'SSHA' in this day and age "for compatibility" - that's "Salted SHA-1"! Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting