question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Password Hashing & Security

See original GitHub issue

Is it required to send plain string password while authenticating with AD? I mean if ad stores the user password it must be encrypting it in someway or other, can we send a encrypted password for authentications? Here is what I mean -

ad.authenticate(username, password, function(err, auth) { // instead of plain password can it be encrypted password
  if (err) {
    console.log('ERROR: '+JSON.stringify(err));
    return;
  }
  
  if (auth) {
    console.log('Authenticated!');
  }
  else {
    console.log('Authentication failed!');
  }
})

I have also posted this in StackOverflow

Issue Analytics

  • State:open
  • Created 6 years ago
  • Comments:5

github_iconTop GitHub Comments

2reactions
HunterMitchellcommented, Dec 13, 2017

The solution is to use ldaps (Secure LDAP) and provide a CA for verification when you first connect. The credentials being sent over the wire will be encrypted and MITM attacks won’t work if you forcing certificate verification.

const ActiveDirectory = require("activedirectory");
const ad = new ActiveDirectory({
    url: "ldaps://dc.domain.com",
    baseDN: "dc=domain,dc=com",
    username: "username@domain.com",
    password: "password",
    tlsOptions: {
        ca: [fs.readFileSync("CA.crt")],
        rejectUnauthorized: true // Force Certificate Verification 
    }
});
0reactions
Dinesh-ARcommented, Oct 4, 2019

Please excuse me if this is out of context. Is there any way to avoid hardcoding the password in the code? Can we have one method to which accepts encrypted or hashed password to connect to AD.

Read more comments on GitHub >

github_iconTop Results From Across the Web

About Secure Password Hashing
Passwords should be hashed with either PBKDF2, bcrypt or scrypt, MD-5 and SHA-3 should never be used for password hashing and SHA-1/2(password+ ...
Read more >
Password Storage - OWASP Cheat Sheet Series
Hashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted. Hashing...
Read more >
Hashing Techniques for Password Storage - Okta Developer
A brief look at password hashing functions and some practical recommendations.
Read more >
Secure Salted Password Hashing - How to do it Properly
The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash...
Read more >
How Password Hashing Algorithms Work and Why You Never ...
Standard cryptographic hash functions are designed to be fast, and when you're hashing passwords, it becomes a problem. Password hashing must be ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found