Password-based SASL mechanisms

Several SASL mechanisms provide for authentication using passwords. Their security properties are different.


  1. The user's password is at risk of compromise whenever it is used. Exposing it outside the client application increases this risk.
  2. Some SASL mechanisms require that the LDAP server has access to a stored copy of the user's password. In such systems, an attacker who copies the database or backup tapes can easily impersonate every user of the system: this is a very serious risk.


  1. Avoid mechanisms such as DIGEST-MD5 that require the server to store the plain-text password.
  2. Avoid SASL PLAIN: it is no better than simple bind.
  3. Use SASL SCRAM RFC 5802 where possible as it does not require the server to store (or ever see) the user's plain-text password. Establish a TLS session before authenticating. Read the Security Considerations section in RFC5802 to understand the remaining risks.


Apply this control whenever password-based authentication is required.

-- AndrewFindlay - 07 Oct 2011
Topic revision: r1 - 07 Oct 2011, AndrewFindlay - This page was cached on 04 Aug 2023 - 22:22.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback