[SR-Users] Size of passwords fields in db

[Daniel-Constantin Mierla]

On 05/10/16 16:35, Fred Posner wrote:
> On 10/05/2016 10:25 AM, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> writing here to decide on a topic opened by pull request 779:
>>
>>   - https://github.com/kamailio/kamailio/pull/779
>>
>> what would be a fair size for db column storing a password that one
>> would like to have for proper security?
>>
>> I would like to make it consistent over all tables that have a password
>> column by defining a xml entity for the size of these columns. The pull
>> request suggests 64 chars, has anyone other opinions on making it larger
>> or smaller?
>>
>> If they are defined varchar, then should not be a problem of allocated
>> size, so we can go with 128 if someone feels it worth doing larger now
>> so we don't have to change it again in the near future.
>>
>> This change is about db schema, the modules I expect to work with
>> allocated strings (or have length checks) in this case and should not be
>> affected.
>>
>> Cheers,
>> Daniel
>>
> Although I can see why someone might consider the need for larger than
> varchar 64, I really don't see a need for it. Assuming if you needed
> more characters it would probably be time to use additional
> authentication methods.
That refreshed my mind that we have now support for sha 256, which means
that ha1 fields need to be 64 (and they are now), but wondering if
someone will want to have and add sha 512 any time soon, which means the
ha1 fields need to be 128...
>
> I believe Polycom still max's out at 32.
I haven't looked at phones restrictions on this, but I saw old devices
accepting only digit based passwords... hopefully not many out there at
this moment.

A stronger auth method would be highly desired, but I guess a lot of
people are restricted by deployed devices.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Oct 24-26, 2016 - http://www.asipto.com