How secure is your password in LDAP?

Question

Is your password more secure in any way if it is stored on LDAP rather than a database or an encrypted file?

Answer 1

With LDAP, the password is verified on the server. It is not whole a lot safer by design. But there are lots of SSO solution use LDAP, so there are a very large user base.

Answer 2

Passwords are as secure as the weakest link between user and the location where the password is stored. Basically, this means that it's not only the way the password is stored, that needs to be secured, but also the connection lines between user and storage. When server and communications are secure, the weakest link often turns out to be the user. (Because users sometimes have the memory capacity of a pet rock.)

A colleague of mine once lost his laptop and he was quite worried that the thief would access all the secret stuff on his system. As it turned out, he had attached a small note on his laptop with his password on it. And unfortunately, he isn't the only person in this world who just writes passwords on a note next to their computer.

Answer 3

LDAP is a communication protocol, the way the password is stored is pretty much up to the directory system. See NTLM user authentication in Windows for what Windows does for example.

The LAN Manager-compatible password is compatible with the password that is used by LAN Manager. This password is based on the original equipment manufacturer (OEM) character set. This password is not case sensitive and can be up to 14 characters long. The OWF version of this password is also known as the LAN Manager OWF or ESTD version. This password is computed by using DES encryption to encrypt a constant with the clear text password. The LAN Manager OWF password is 16 bytes long. The first 7 bytes of the clear text password are used to compute the first 8 bytes of the LAN Manager OWF password. The second 7 bytes of the clear text password are used to computer the second 8 bytes of the LAN Manager OWF password.

The Windows password is based on the Unicode character set. This password is case sensitive and can be up to 128 characters long. The OWF version of this password is also known as the Windows OWF password. This password is computed by using the RSA MD-4 encryption algorithm. This algorithm computes a 16-byte digest of a variable-length string of clear text password bytes.

It's not particularly super safe, but Active Directory is usually implemented with lockout after a few bad attempts, so that's no so bad. In general, any code written by a vendor is better than rolling out your own.

It also depends how you are storing your password in the database and what policies are applied. Storing plain password unhashed or unencrypted is terrible idea. Normally a directory system takes care of that. AD for example could also require password complexity and prevent reuse of the same password, etc.. Putting it into a file where it's accessible to an attacker would be bad idea.

Answer 4

As long as you do not expose your password unencrypted on the network, it is just as safe as storing hashed passwords in databases. Depending on LDAP server implementations you can use many different kinds of hashes.

OpenLDAP offers CRYPT, MD5, SMD5, SSHA and SHA (according to my man page).

In short, LDAP offers you similar hashing capabilities as you would have hashing the passwords yourself and storing them in an SQL database.

Answer 5

Passwords are stored as hashed strings in LDAP directories. OpenLDAP for example supports the schemes salted SHA1 {SSHA}, crypt {CRYPT} (OS dependent), MD5 {MD5}, salted MD5 {SMD5} and SHA1 {SHA}. I think Active Directory servers store some sort of LM hash and/or NT hash.

Given that fact sorting password in an LDAP directory is not more or less secure than storing the hashed password (same hashing assumed) in a file or an SQL database. Everyone how has direct access to the underlying data structure can at least read the hashed password value (if the data is not additionally encrypted on a file- oder filesystem-basis).

The decision whether to use LDAP or some other kind of account storage mechanism will surely not be based on the fact how secure the passwords are stored. The decision will rather be based on how the authentication will be done and what other requirements you have to fulfil. LDAP comes in handy when you have to connect different clients to a central authentication system (e.g. proprietary software, email servers) or if you have to integrate it into some KERBEROS or SASL authentication scenario.