IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Normalization of passwords in SASL and SSH



nisse%lysator.liu.se@localhost (Niels Möller) writes:

> 2. Add some new text saying that we recommend that systems supporting
>    non-ascii passwords always normalize passwords and usernames
>    whenever they are added to the database, or compared (with or
>    without hashing) to existing entries in the database.

I believe the part about storing normalized strings in databases is a
poor recommendation.

If the password is stored, then I believe it would be better to store
the unprepared string than the prepared string.  Otherwise, there is
an upgrade problem when SASLprep2 is released.

Of course, if the database store a hashed password, then there is no
choice, and you have to prepare it before hashing.

I would recommend doing normalization when storing strings, to provide
early feedback for invalid strings, but store the unprepared string.
During validation, you can either prepare the string (using the
then-current preparation algorithm), or you could use a prepared copy
of the password stored in the database, for efficiency.  In the latter
case, the database should also remember which algorithm was used to
prepare the prepared string (SASLprep, SASLprep2, etc).

Thanks,
Simon




Home | Main Index | Thread Index | Old Index