[ale] How LDAP works with authentication

Jason Day jasonday at worldnet.att.net
Wed Oct 12 17:38:21 EDT 2005


On Wed, Oct 12, 2005 at 04:51:54PM -0400, Christopher Fowler wrote:
> The question here is what is safer.  Using SSL to transmit a plain-text
> password or using SSL to transmit a password that is MD5 encrypted.

Well, to be fair, I think you're splitting hairs here; I don't think
brute-forcing an MD5 hash is going to be *that* much of a challenge to
someone with the capability of retrieving the plain text of an SSL
session.

Here's a better question: Is the (arguably) better protection you get
from sending an MD5 hash of a password vs. plain text over an SSL
connection worth the added burden of adding the password hash to the
user object *and* keeping the password hash in sync with the user's
password?
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list