> Requiring 1GB for a password hash will preclude using it on small devices,
> e.g. raspberry pi.
>
> Even 16MB is excessive.
It's sounding like the newer and more complicated hashes have a lot of
configurable features that may need site-local tuning. Should these be part of
e.g. slapd.conf config or be settings embedded in the value format for later
clarity, like
{HASHNAME:attr=val,attr=val,attr=val}SnVzdCBhbiBleGFtcGxlLCBzaWxseQ==
Considering the size of some of these newfangled hashes, attribute length
doesn't look to be a relevant concern any longer. Realistically this would
probably be a better way to express things like salt values in addition to the
iteration counts and so on. If a structured value is what we really want
there, BER might be more appropriate, possibly with a leading
{EXTENDED-STRUCTURE} hash declaration.
--
Emily Backes
Symas Corporation
ebac...@symas.com
