Re: Normalization of passwords in SASL and SSH

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Normalization of passwords in SASL and SSH
From: Simon Josefsson <jas%extundo.com@localhost>
Date: Mon, 29 Nov 2004 21:00:14 +0100

nisse%lysator.liu.se@localhost (Niels Möller) writes:

> 2. Add some new text saying that we recommend that systems supporting
>    non-ascii passwords always normalize passwords and usernames
>    whenever they are added to the database, or compared (with or
>    without hashing) to existing entries in the database.

I believe the part about storing normalized strings in databases is a
poor recommendation.

If the password is stored, then I believe it would be better to store
the unprepared string than the prepared string.  Otherwise, there is
an upgrade problem when SASLprep2 is released.

Of course, if the database store a hashed password, then there is no
choice, and you have to prepare it before hashing.

I would recommend doing normalization when storing strings, to provide
early feedback for invalid strings, but store the unprepared string.
During validation, you can either prepare the string (using the
then-current preparation algorithm), or you could use a prepared copy
of the password stored in the database, for efficiency.  In the latter
case, the database should also remember which algorithm was used to
prepare the prepared string (SASLprep, SASLprep2, etc).

Thanks,
Simon

Follow-Ups:
- Re: Normalization of passwords in SASL and SSH
  - From: Sam Hartman

References:
- Normalization of passwords in SASL and SSH
  - From: Sam Hartman
- Re: Normalization of passwords in SASL and SSH
  - From: Niels Möller

Prev by Date: Re: Normalization of passwords in SASL and SSH
Next by Date: Re: Normalization of passwords in SASL and SSH
Previous by Thread: Re: Normalization of passwords in SASL and SSH
Next by Thread: Re: Normalization of passwords in SASL and SSH
Indexes:

Home | Main Index | Thread Index | Old Index