• Apologies if I wasn’t clear. The passwords in question have a low complexity (for example 4 digit numeric Pins). BCrypt doesn’t really help against an offline brute force attack as it wouldn’t take long for an attacker to try all 10000 pins to break the hashes.

    We’re proposing to encrypt the hashes using AES on top of the hashing to counter this.…[Read more]

  • The password search space is too small for slow hashing algorithms to help on their own. At the same time, I do not want to use a reversible crypto algorithm like AES on its own as I do not want the passwords to be reversible. (I know OpenDJ will never output the plaintext password in an AES password scheme but it is technically possible)

  • Thanks. Client-side hashing is an option I’ve already considered.

    I was looking for a more off-the-shelf solution on OpenDJ than creating my own password plugin to be honest.

    Stupid question – can I not chain two Password schemes? i.e. use the output of the BCrypt password scheme as an input to the AES password scheme?

  • Hi team,
    I wish to hash then encrypt user passwords before storing them. I understand that the supported password storage schemes allow encryption or hashing.
    Is there any out-of-the-box way that I can perform AES(Bcrypt{Password}) on OpenDJ to store the password and verify it the same way?