Is there a best practice around credential storage?

Coy Hile coy.hile at coyhile.com
Fri Dec 20 13:06:28 CET 2019



> On Dec 20, 2019, at 6:43 AM, Sven Hartge <sven at svenhartge.de> wrote:
> 
> On 19.12.19 23:42, Coy Hile wrote:
> 
>> Is it really industry standard that people store users' passwords in
>> cleartext? It seems to be a requirement, but it is something that gives
>> me pause, as to do so contravenes what are otherwise best practices.
> 
> We (my employer) uses a different password for everything related to
> network access, meaning mainling WiFi and VPN.
> 
> This password has do be different than the main account password, can
> only be (re)set using the main account password and is stored in a
> different attribute in LDAP, which freeradius then reads and puts into
> the Cleartext-Password attribute.
> 

Requiring a separate password for such things is already something I expected and will require. Are there concerns that whomever manages the directory can read that plaintext attribute (whether it be in the directory or a database? Or, honestly, that any actors who gain access to the RADIUS server can thus read the same? I’m trying to anticipate questions I’d certainly be asked by reviewers who balk at that. Being able to point and say “It’s widely considered best practice.” could help.

--
Coy Hile
coy.hile at coyhile.com







More information about the Freeradius-Users mailing list