Quanah Gibson-Mount wrote: > --On Friday, February 24, 2017 9:06 PM +0100 Michael Ströder > <mich...@stroeder.com> wrote: > >> Quanah Gibson-Mount wrote: >>> I think it would be wise to update OpenLDAP to a different default for >>> userPassword. >> >> Yes! >> >>> We currently have the Contrib SHA2 module, >> >> SHA-2 hashes with one round are also way too fast to be a good password >> hash algorithm. >> >>> It may be time to move the SHA2 module into core, >> >> Yes, but there should be something stronger. > > Did you just skip entirely past the point where I said: > > "but there has been some discussion of the limitations of the current SHA2 > module in > the past that would likely need addressing"
Sorry, it seems I misread your sentence: I assumed you're talking about concrete deficiencies of the implementation in ./contrib/slapd-modules/passwd/sha2. I was referring to strength of password hashing scheme. > And yes, perhaps PBKDF2 should be in core as well. ;) Would be nice. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature