Don't use CHAP or MS-CHAP!
Alan DeKok
aland at deployingradius.com
Sat Jul 6 11:33:02 UTC 2024
From https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
... researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords.
The only reason that passwords leak is that organizations store clear-text passwords in a database. That approach has been a terrible idea for decades, and this latest leak proves it.
With CHAP, passwords *have* to be stored in clear-text in the DB, where attackers can steal them.
With PAP, passwords can be stored in "crypted" form. When an attacker steals the DB, the passwords are protected.
I've written more in an article on our web site. https://networkradius.com/articles/2022/04/01/pap-vs-chap.html
As for MS-CHAP, it can be broken by an attacker with a laptop, in milliseconds. It should be considered to be no more secure than sending clear-text passwords over the wire, without even the protection that RADIUS offers for PAP.
Alan DeKok.
More information about the Freeradius-Users
mailing list