CentOS OpenLDAP pwdReset Attribute

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Tue Oct 26 21:28:11 CEST 2021 

W dniu 26.10.2021 o 21:05, Alan DeKok pisze:
> On Oct 26, 2021, at 1:42 PM, Marek Zarychta <zarychtam at plan-b.pwste.edu.pl> wrote:
>> Indeed, it can be easily cracked, but NT-Password is stored as
>> 32-character long MD4 hash and at least needs some effort to be cracked.
> 
>   The issue isn't the length of the hash.  The issue is the length of the input.> >   *All* passwords of length 8 can be cracked in a short amount of
time, if you have the MD4 hash of the password.  That time is days for
someone who's bored, and has a GPU to spare.  It's maybe minutes for
someone who has $$ to spend on hardware.
> 
>   If the are additional requirements on the contents of the password, then this time goes down substantially.
> 
>   Each additional requirement of things like "MUST include one uppercase letter" will reduce the time required by 50%.  Requirements like "MUST include a special character" or "MUST include a number" will reduce the time required by 80% or more.
> 
>   Those kind of limitations are security theatre, and make things worse. :(  They change the time required to crack NT hash from minutes (for someone with $$) to seconds.

Thank you for the comprehensive explanation, but I still believe that
MD4 hash is more GDPR conformant than Cleartext-Password ;)

>   The main reason to use NT hashes is because you're using Active Directory, and AD doesn't really use anything else.  Everyone else should really switch to crypt'd passwords.

But can anything besides NTPassword or Cleartext-Password work for
MSCHAP authentication?

> 
>> I never recommended using eight-character Windows NTLM passwords and
>> wonder if they will work for MSCHAP auth.
> 
>   LM hashes won't work for MS-CHAP.

I am sorry, I have not carefully read this article and at a glance
confused NTLM with LM.


-- 
Marek Zarychta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20211026/9c9709bd/attachment.sig>

More information about the Freeradius-Users mailing list