Hash then Encrypt Passwords on DJ

This topic has 7 replies, 3 voices, and was last updated 4 years, 11 months ago by Ludo.

  • Author
  • #20076

    Hi team,
    I wish to hash then encrypt user passwords before storing them. I understand that the supported password storage schemes allow encryption or hashing.
    Is there any out-of-the-box way that I can perform AES(Bcrypt{Password}) on OpenDJ to store the password and verify it the same way?


     Bill Nelson

    Short of allocating one of these tasks to the client (before sending it to DJ), the only way that I can think of to handle this would be to create your own password plugin for OpenDJ.

    Note: Allocating any task to the client would need to be performed on both storage and during the BIND operation.


    Thanks. Client-side hashing is an option I’ve already considered.

    I was looking for a more off-the-shelf solution on OpenDJ than creating my own password plugin to be honest.

    Stupid question – can I not chain two Password schemes? i.e. use the output of the BCrypt password scheme as an input to the AES password scheme?


    What is the goal with encrypting the result of the Hashed Passwords?
    Directory Services 5 and higher can encrypt data at rest, therefore preventing data from being collected from disks.


    The password search space is too small for slow hashing algorithms to help on their own. At the same time, I do not want to use a reversible crypto algorithm like AES on its own as I do not want the passwords to be reversible. (I know OpenDJ will never output the plaintext password in an AES password scheme but it is technically possible)


    So, it is not possible to chain multiple password storage scheme.
    But I don’t understand your sentence “The password search space is too small for slow hashing algorithms to help on their own.”
    What is it you are trying to achieve with encrypting hashed passwords?


    Apologies if I wasn’t clear. The passwords in question have a low complexity (for example 4 digit numeric Pins). BCrypt doesn’t really help against an offline brute force attack as it wouldn’t take long for an attacker to try all 10000 pins to break the hashes.

    We’re proposing to encrypt the hashes using AES on top of the hashing to counter this. The attacker now along with the hash dump would also need access to the key to be able to reverse engineer the passwords.

    Allow me to rephrase my question by asking: is there a secure way of storing numeric pins using OpenDJ? (Considering the points above)


    Out of the box, I think that the proper way to secure weak passwords is to use a secure hashing scheme such as PBKDF2 or Bcrypt, and make sure the data is encrypted to disk.
    This will prevent any one from having access to the hashed passwords from the disks or backups.
    Online access are protected by the password policy and lock out on a number of failure.
    The one thing that this doesn’t protect against is accidental disclosure by an application or an Administrator. For now the only option to fully protect a pin (actually to hide the salt that is used with the hash of it) would be via a custom password storage scheme.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?