Security Implications of Novell eDirectory.

From: steven.sporen@za.pwcglobal.com
Date: 05/30/02


To: bugtraq@securityfocus.com
From: steven.sporen@za.pwcglobal.com
Date: Thu, 30 May 2002 10:56:30 +0200

Hi,

I was wondering what people's thoughts were regarding the product Novell
eDirectory. I've had a quick look at the implementation and have found that
eDirectory's passwords are case-insensitive. Comparing this to case
sensitive
passwords this radically reduces the number of passwords the system can
use.

ie.

  Case Sensitive Case Insensitive
  26 52 Alpha
  10 10 Numeric
  26 26 Special
  ---- ----
  62 88

Thus for a password 8 characters long we get the following number of
combinations respectively.

  62^8-1 88^8-1

This means that case sensitive passwords are 16.47 times stronger than case
insensitive.

Could I deduce that from this using Active Directory vs. eDirectory, AD is
16.47
times stronger with passwords than secure in a password sense? Is this a
fair
statement?

Regards
  Steven
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.



Relevant Pages

  • OT: Apache Auth help needed Summary
    ... solution is to choose a different encryption method for the passwords ... the intended recipient, you are hereby notified that any dissemination of ... this communication is strictly prohibited. ... attachments and notify us immediately. ...
    (SunManagers)
  • Web start Install of a Flash Archive
    ... besides users and passwords, DiskSuite meta information ... GIS Chicago Data Center System Administrator ... authorized to receive this message for the intended recipient), ...
    (SunManagers)
  • RE: Security Logging - Passwords & Accounts
    ... Security Logging - Passwords & Accounts ... is not the intended recipient or the employee or agent responsible to ...
    (RedHat)
  • SQL Server passwords
    ... passwords in SQL server. ... auditing tool that is ... entities other than the intended recipient is prohibited. ...
    (Bugtraq)
  • Re: Password Generation Procedure?
    ... passwords made up by people themselves) usually are easier to guess. ... delivering to the intended recipient, be advised that you have received ... any legal responsibility for the content of this message. ... To encrypt classified messages, please download and use this PGP-Key: ...
    (Security-Basics)