NTLM hashed passwords.

freeradius-users at latter.org freeradius-users at latter.org
Tue Jul 19 18:03:20 CEST 2016

On 15/07/16 18:35, Arran Cudbard-Bell wrote:
>> On Jul 15, 2016, at 1:20 PM, freeradius-users at latter.org wrote:
>> On 15/07/16 16:52, Arran Cudbard-Bell wrote:
>>> There's not a huge advantage in storing unsalted MD4 hashed passwords.
>> In terms of security?  It ticks the box marked "did the best we could".
> No, the best you could would be to use EAP-TLS, because PEAP and TTLS are
> horrifically insecure in their current OSX and Windows implementations.

Unfortunately the commercial reality of it is that we must stick to the
"convenience" end of the "security-versus-convenience" scale.

In a week we will have about 6000 wifi devices authenticating.
Most are regular users but a fair number are only using it for
the day.  We have no control over what people turn up with - could
be a PDP-11 or an internet-enabled fridge magnet.  The devices tend
more towards the MacOS / iOS than you might find in general.

Most of the users are non-technical, but there's enough full-time
geeks to keep us on our toes.

>> And it does protect those who use long passwords.
> Not really, you just need to find a collision, the length of the password
> doesn't matter for that type of attack.
> It does stop an attacker using the collided password with another service,
> that's about it.

Which is the point, a lot of the time, IMO.

More information about the Freeradius-Users mailing list