[ale] How LDAP works with authentication
Jason Day
jasonday at worldnet.att.net
Wed Oct 12 17:38:21 EDT 2005
On Wed, Oct 12, 2005 at 04:51:54PM -0400, Christopher Fowler wrote:
> The question here is what is safer. Using SSL to transmit a plain-text
> password or using SSL to transmit a password that is MD5 encrypted.
Well, to be fair, I think you're splitting hairs here; I don't think
brute-forcing an MD5 hash is going to be *that* much of a challenge to
someone with the capability of retrieving the plain text of an SSL
session.
Here's a better question: Is the (arguably) better protection you get
from sending an MD5 hash of a password vs. plain text over an SSL
connection worth the added burden of adding the password hash to the
user object *and* keeping the password hash in sync with the user's
password?
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
More information about the Ale
mailing list