On 08/01/2016 08:59 PM, William Brown wrote: > Hi, > > I would like to propose an idea that will help improve the security of > DS password storage for new installations and their future upgrades. > > I would like to change the default value of passwordStorageScheme to a > type called DEFAULT. > > The implementation of DEFAULT would be an interface to the "current best > practice storage mechanism of this release of directory server". > > This way sites that want to customise their hash types can. Sites that > "install and forget" will gain a strong password storage mechanism out > of the box. > > Additionally, we can *change* the DEFAULT mapping in releases as we have > better and stronger hashes, or as we learn and get better advice on > their security. This way, users who "install and forget" are continually > moving forwards with their security as they upgrade versions. When user > passwords are changed in their systems, they are updated to the newer > hashes etc. > > I think this would be a trivial feature to implement and add, and I > think that the net increase in security for administrators and accounts > on their system is huge. > > Is this something we would like to pursue? I think this is something that would be nice to have. Open a ticket for it, and we'll triage it for the next appropriate release. > > > > -- > 389-devel mailing list > 389-devel@lists.fedoraproject.org > https://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org
-- 389-devel mailing list 389-devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org