On Tue, May 6, 2008 at 9:55 PM, Iris Lames <[EMAIL PROTECTED]> wrote:
>
>
>
> >
> >
> >
> > > > I have a sample here:
> > > > dn: uid=some.user,ou=people,dc=mydomain,dc=com
> > > > userPassword:: VmVRdWFrczE=
> > > >
> > >
> >
> > > The password is a base64 encoded text string.
> >
> >
> > it is a strong indication that the password is base64 encoding because
> > of the "=" character at the end of password and not a normal crypt(3)
> > function with two characters salt + 11 characters hash function which
> > is 1 character shy from the password above..
> >
> > "VmVRdWFrczE=" = base64("VeQuaks1")
> >
> > i want to make sure first if the password is correct before we
> > conclude it is indeed base64 encoding... that is why i want her to try
> > it first...
> >
> > fooler.
> >
> Thanks, it works. It's indeed base64.
>
> Thanks...Thanks...Thanks!!!
>
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> http://lists.linux.org.ph/mailman/listinfo/plug
> Searchable Archives: http://archives.free.net.ph
>
Hi Iris, you should change the mechanism on your system by which
passwords are protected (either in transmission or in storage). If
it's possible, configure your system to use hash algorithms like MD5,
Blowfish (technically, it's not a hash algorithm, I'm referring to the
password format, not as a symmetric algorithm) or SHA, instead of
base64 encoding. If possible, you should encrypt communications
between your key/critical systems in your network. Your company should
have developed and implemented formal policies, standards and
guidelines regarding access control (which includes passwords and
account/login controls). If possible, these high level controls should
be enforced in all your systems using their built-in security
features.
If there are limitations by which your system can enforced a certain
security policy provision, you should implement alternative and/or
compensating security controls that would mitigate the same security
risks and meet the related security objectives. This is not limited to
the technology level, but may be implemented on the IT process and
people level as well. These limitations should be documented in an
exception document (if you have one).
Ariz is right, please read and understand your company's
information/data classification policy (if you have one) for guidance
regarding handling of confidential data/information. Confidential
information should not be disclosed to certain parties or entities
(What is "confidential", what is "handling", and who these "parties"
are, should be defined in your information classification policy).
--
Cheers,
Cris Masancay
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
