Thursday, March 28, 2024

[389-users] Questions regarding PDBKD2 iteration count status and possible optimization


I have several questions regarding PBKDF2 as password storage scheme, maybe
someone can help?

1) Is it correct, that in the latest version the number of iterations for
new hashes is not configurable, but determined dynamically based on
2) If yes: I think for compliance reasons it would be a good idea to add a
configurable "minimum iterations" variable. This might slow down
authentication but could help to enforce a minimum security level if
required. Any comments?
3) Am I right, that if the current calculation results in higher "iterations
number" than used before (e.g., at the time of a last password-change of a
user), the hash remains unchanged until new passwort-change? The "Password
Upgrade on Bind"
( does not
apply for "more iterations"?
4) If yes: This could be a valuable improvement as the general idea of
PBKDF2 is to increase iteration count over time while hardware resources are
growing. Any comments?

Kind regards,
Tobias Ernstberger

No comments:

Post a Comment