On Oct 26, 2021, at 12:51 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:adius-chap/
For better GDPR compliance and security I'd like to recommend using NT-Password for authentication (sambaNTPassword in LDAP).
All 8-character NT hashes can be cracked fairly quickly: https://www.theregister.com/2019/02/14/password_length/
These passwords stored as NThashes are fully compliant with MSCHAP authentication, but you have to store them in LDAP (or even database), so you have to store and chage both: SHA hashed userPassword and NT hashed sambaNTPassword for each user. The drawback is that such a solution requires 3rd party password updating tool for LDAP.
My choice would be (in order) * use whatever is mandated by your DB, because you don't have a choice e.g. NT hashes for Active Directory * some crypt'd / salted format. Whatever it is doesn't matter, so long as it's relatively recent * clear-text passwords If you're not using AD, then NT hashes are *slightly* better than clear-text passwords. But any additional security is little more than an illusion. If someone gets access to the password DB, then NT hashes are entirely equivalent to clear-text passwords. Anyone with $ to spare can crack the passwords pretty quickly. Alan DeKok.