Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Password Hashing & Security

See original GitHub issue

Is it required to send plain string password while authenticating with AD? I mean if ad stores the user password it must be encrypting it in someway or other, can we send a encrypted password for authentications? Here is what I mean -

ad.authenticate(username, password, function(err, auth) { // instead of plain password can it be encrypted password
  if (err) {
    console.log('ERROR: '+JSON.stringify(err));
    return;
  }
  
  if (auth) {
    console.log('Authenticated!');
  }
  else {
    console.log('Authentication failed!');
  }
})

I have also posted this in StackOverflow

Issue Analytics

State:
Created 6 years ago
Comments:5

Top GitHub Comments

2reactions

HunterMitchellcommented, Dec 13, 2017

The solution is to use ldaps (Secure LDAP) and provide a CA for verification when you first connect. The credentials being sent over the wire will be encrypted and MITM attacks won’t work if you forcing certificate verification.

const ActiveDirectory = require("activedirectory");
const ad = new ActiveDirectory({
    url: "ldaps://dc.domain.com",
    baseDN: "dc=domain,dc=com",
    username: "username@domain.com",
    password: "password",
    tlsOptions: {
        ca: [fs.readFileSync("CA.crt")],
        rejectUnauthorized: true // Force Certificate Verification 
    }
});

0reactions

Dinesh-ARcommented, Oct 4, 2019

Please excuse me if this is out of context. Is there any way to avoid hardcoding the password in the code? Can we have one method to which accepts encrypted or hashed password to connect to AD.

Top Results From Across the Web

About Secure Password Hashing

Passwords should be hashed with either PBKDF2, bcrypt or scrypt, MD-5 and SHA-3 should never be used for password hashing and SHA-1/2(password+ ...

Password Storage - OWASP Cheat Sheet Series

Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing...

Hashing Techniques for Password Storage - Okta Developer

A brief look at password hashing functions and some practical recommendations.

Secure Salted Password Hashing - How to do it Properly

The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash...

How Password Hashing Algorithms Work and Why You Never ...

Standard cryptographic hash functions are designed to be fast, and when you're hashing passwords, it becomes a problem. Password hashing must be ...