On Dec 20, 2019, at 6:43 AM, Sven Hartge <sven@svenhartge.de> wrote:
On 19.12.19 23:42, Coy Hile wrote:
Is it really industry standard that people store users' passwords in cleartext? It seems to be a requirement, but it is something that gives me pause, as to do so contravenes what are otherwise best practices.
We (my employer) uses a different password for everything related to network access, meaning mainling WiFi and VPN.
This password has do be different than the main account password, can only be (re)set using the main account password and is stored in a different attribute in LDAP, which freeradius then reads and puts into the Cleartext-Password attribute.
Requiring a separate password for such things is already something I expected and will require. Are there concerns that whomever manages the directory can read that plaintext attribute (whether it be in the directory or a database? Or, honestly, that any actors who gain access to the RADIUS server can thus read the same? I’m trying to anticipate questions I’d certainly be asked by reviewers who balk at that. Being able to point and say “It’s widely considered best practice.” could help. -- Coy Hile coy.hile@coyhile.com