• Sun
    February 8, 2008

Password With Multi-byte Characters

Guest Author
Though it is almost impossible to crack a password that is composed of randomly chosen ASCII characters, you might want to make it more secure to use multi-byte characters, like Cyrillic letters or East Asian characters like Chinese, Korean, Japanese.
This approach may not always work. It depends on the software and even software version. It works on both Sun Access Manager 7.0 (JES4) and 7.1 (JES5). However, you will be disappointed when trying on Vanilla AM 7.0. You should see error in DS log:
ERROR<33077> - 7-Bit Check Plug-in - conn=47 op=8 msgId=656 - Operation rejected: ADD failed (19), the value (xxxxxxxxx) of attribute userpassword contains extended (8-bit) characters
This implies a DS problem, but actually a configuration issue. You can simply disable 7-Bit Check plugin to accept password with 8 bit characters on DS console or edit dse.ldif
dn: cn=7-bit check,cn=plugins,cn=config
nsslapd-pluginEnabled: off <== changed from on (default)
According to Pierre, a Sun DS expert, 7-Bit Check Plugin is there to prevent create]ing password that contains non ascii characters. The reason is that the LDAP v3 standard was not clear about how password should be handled. Most applications were sending the password as is in their own local charset. And DS can not correctly handle characters encoded in different ways. Recently the standard was revised and specify that the password should be UTF8 encoded. Since then, the 7-Bit Check Plugin is now disabled by default on DS 6.0 in JES5.
This does not mean your application will automatically work with multi-byte character passwords, assume you use Sun DS 5.x/6.0. You have to make sure your application pass the password encoded in UTF8. Sounds simple, but lots of developers ignore it. Maybe we should make JDK to change the default encoding from ASCII to UTF8 whenever character set is involved.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.