At 1:56 AM -0700 4/10/02, David Wright wrote: >>Putting the password over the wire is always a bad idea. >If there were no downside to challenge-response, I'd agree. But if >the price is storing my passwords unhashed, I'm not willing to pay >it. All my sites use MD5 or SHA hashing, which OpenLDAP supports.
I just don't think hashing gets you a whole lot. You'll always be playing the leapfrog, hardware v/ algorithm thing. You're winning right now, but sooner than later, we'll be looking at MD5 the same way we look at crypt. >>Maybe I'm a dork for buying into Kerb, but hey, I'm sold, sue me. >>Sasl seems like the best way to abstract kerb out to LDAP, cyrus, >>etc. > >Kerberos is the gold standard, I can't disagree there. But if >Kerberos abstraction is your only metric for a security layer, why >not just have everyone compile in libkrb and forget about the >security layer alltogether? :-) Mainly, because I figure the people developing the LDAP rfc's are smarter than me, and they included sasl in v3. Thinking for yourself is over rated ;-) I've been wrong before, though. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh [EMAIL PROTECTED] 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.
