Michael Ströder wrote:
Quanah Gibson-Mount wrote:
I think it would be wise to update OpenLDAP to a different default for
userPassword.
Yes!
We currently have the Contrib SHA2 module,
SHA-2 hashes with one round are also way too fast to be a good password hash
algorithm.
It may be time to move the SHA2 module into core,
Yes, but there should be something stronger.
How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to SHA3.
There's a lot of crypto software out there already using it. pbkdf2 is still
using SHA2.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
