Le 24/04/15 15:49, Shawn McKinney a écrit : >> On Apr 24, 2015, at 8:09 AM, Emmanuel Lécharny <elecha...@gmail.com> wrote: >> >> Ouch !!! >> >> Wouldn't had it been more efficient to store the password using a base64 >> encoding ? > A couple of years ago, ldapcon2011, I let someone talk me into changing the > password from string to char array representation. The rationale was that a > string password introduces a vulnerability.
But an base-64 representation of a char[] (or even better, byte[], assuming the password is UTF-8 encoded) is most certainly better, from a security POV. Also considering that what you are using are pure ascii chars, that will not be appropriate for around 4/5 of the world, such a modification could be valuable. As a matter of fact, passwords in LDIF are generally stored already hashed, ie as byte[], because whatever representation you use (being a String or a char[]), this is already fully vulnerable... IMO, there is something wrong in this area...
