Password Hashing & Security
See original GitHub issueIs it required to send plain string password while authenticating with AD? I mean if ad stores the user password it must be encrypting it in someway or other, can we send a encrypted password for authentications? Here is what I mean -
ad.authenticate(username, password, function(err, auth) { // instead of plain password can it be encrypted password
if (err) {
console.log('ERROR: '+JSON.stringify(err));
return;
}
if (auth) {
console.log('Authenticated!');
}
else {
console.log('Authentication failed!');
}
})
I have also posted this in StackOverflow
Issue Analytics
- State:
- Created 6 years ago
- Comments:5
Top Results From Across the Web
About Secure Password Hashing
Passwords should be hashed with either PBKDF2, bcrypt or scrypt, MD-5 and SHA-3 should never be used for password hashing and SHA-1/2(password+ ...
Read more >Password Storage - OWASP Cheat Sheet Series
Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing...
Read more >Hashing Techniques for Password Storage - Okta Developer
A brief look at password hashing functions and some practical recommendations.
Read more >Secure Salted Password Hashing - How to do it Properly
The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash...
Read more >How Password Hashing Algorithms Work and Why You Never ...
Standard cryptographic hash functions are designed to be fast, and when you're hashing passwords, it becomes a problem. Password hashing must be ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The solution is to use ldaps (Secure LDAP) and provide a CA for verification when you first connect. The credentials being sent over the wire will be encrypted and MITM attacks won’t work if you forcing certificate verification.
Please excuse me if this is out of context. Is there any way to avoid hardcoding the password in the code? Can we have one method to which accepts encrypted or hashed password to connect to AD.