Overview#

A password storage scheme provides a mechanism for encoding user passwords for storage in the server. In most cases, the password is encoded in a manner that prevents users from determining what the clear-text password is, while still allowing the server to determine whether the user-supplied password is correct.

Password storage schemes we have run into include:

  • 3DES -- The password will be encoded using Triple DES. Triple DES is a variation of the Data Encryption Standard (DES) that is three times slower than its predecessor but provides stronger reliability. The algorithm uses three 64-bit keys for a combined key length of 192 bits. The data is encrypted with the first key, decrypted with the second key, and then re-encrypted with the third key. You must ensure that all three keys, the first and the second key, or the second and the third keys are not identical.
  • AES -- The Advanced Encryption Standard uses a symmetric block cipher that processes data blocks of 128 bits, using cipher keys with lengths of 128 (AES-128), 192 (AES-192), and 256 (AES-256) bits and is based on the Rijndael algorithm.
  • Base64 -- The password will be Base64, which provides a very weak form of protection and should only be used for cases in which clients require this storage scheme.
  • Blowfish -- The password will be encoded using the BlowFish Algorithm with a 128 bits key length.
  • CLEAR -- The password will be stored in clear-text.
  • Crypt -- The password will be encoded using the Crypt. This is a one-way algorithm, but it is considered weak by current standards and should generally only be used for clients which require this storage scheme.
  • MD5 -- The password will be encoded using an unsalted version of the MD5 message digest algorithm. This is relatively secure and any one of the Secure Hash Algorithm variants are considered stronger than MD5.
  • RC4 -- The password will be encoded using RC4, a stream cipher using a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation.
  • SMD5 -- The password will be encoded using a Salt version of the MD5 message digest algorithm.
  • SHA -- The password will be encoded using an unsalted version of the SHA-1 Secure Hash Algorithm. The salted variant of this algorithm is preferred.
  • SSHA -- The password will be encoded using a Salt version of the SHA-1 Secure Hash Algorithm.
  • SSHA256 -- The password will be encoded using a salted 256-bit version of the SHA-2 Secure Hash Algorithm.
  • SSHA384 -- The password will be encoded using a salted 384-bit version of the SHA-2 Secure Hash Algorithm.
  • SSHA512 -- The password will be encoded using a salted 512-bit version of the SHA-2 Secure Hash Algorithm.

Note that some LDAP Servers also supports the use of the authentication password syntax.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 28-Sep-2016 12:06 by jim