directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: multiple user passwords in fortress-rest
Date Fri, 24 Apr 2015 14:05:00 GMT
Le 24/04/15 15:49, Shawn McKinney a écrit :
>> On Apr 24, 2015, at 8:09 AM, Emmanuel Lécharny <elecharny@gmail.com> wrote:
>>
>> Ouch !!!
>>
>> Wouldn't had it been more efficient to store the password using a base64
>> encoding ?
> A couple of years ago, ldapcon2011, I let someone talk me into changing the password
from string to char array representation.  The rationale was that a string password introduces
a vulnerability.

But an base-64 representation of a char[] (or even better, byte[],
assuming the password is UTF-8 encoded) is most certainly better, from a
security POV.

Also considering that what you are using are pure ascii chars, that will
not be appropriate for around 4/5 of the world, such a modification
could be valuable.

As a matter of fact, passwords in LDIF are generally stored already
hashed, ie as byte[], because whatever representation you use (being a
String or a char[]), this is already fully vulnerable...

IMO, there is something wrong in this area...

Mime
View raw message