NTLM hashed passwords.
freeradius-users at latter.org
freeradius-users at latter.org
Tue Jul 19 18:03:20 CEST 2016
On 15/07/16 18:35, Arran Cudbard-Bell wrote:
>
>> On Jul 15, 2016, at 1:20 PM, freeradius-users at latter.org wrote:
>>
>> On 15/07/16 16:52, Arran Cudbard-Bell wrote:
>>> There's not a huge advantage in storing unsalted MD4 hashed passwords.
>>
>> In terms of security? It ticks the box marked "did the best we could".
>
> No, the best you could would be to use EAP-TLS, because PEAP and TTLS are
> horrifically insecure in their current OSX and Windows implementations.
Unfortunately the commercial reality of it is that we must stick to the
"convenience" end of the "security-versus-convenience" scale.
In a week we will have about 6000 wifi devices authenticating.
Most are regular users but a fair number are only using it for
the day. We have no control over what people turn up with - could
be a PDP-11 or an internet-enabled fridge magnet. The devices tend
more towards the MacOS / iOS than you might find in general.
Most of the users are non-technical, but there's enough full-time
geeks to keep us on our toes.
>> And it does protect those who use long passwords.
>
> Not really, you just need to find a collision, the length of the password
> doesn't matter for that type of attack.
>
> It does stop an attacker using the collided password with another service,
> that's about it.
Which is the point, a lot of the time, IMO.
More information about the Freeradius-Users
mailing list