Password Hashing & Security

[jeetendra-choudhary]

Is it required to send plain string password while authenticating with AD? I mean if ad stores the user password it must be encrypting it in someway or other, can we send a encrypted password for authentications? Here is what I mean -

ad.authenticate(username, password, function(err, auth) { // instead of plain password can it be encrypted password
  if (err) {
    console.log('ERROR: '+JSON.stringify(err));
    return;
  }
  
  if (auth) {
    console.log('Authenticated!');
  }
  else {
    console.log('Authentication failed!');
  }
})

I have also posted this in StackOverflow

[YakubuShehu]

Hi,

Did you ever manage to solve this? I too would like to come up with a fix to this as any packet sniffer is able to display the username and password in plaintext.

[HunterMitchell]

The solution is to use ldaps (Secure LDAP) and provide a CA for verification when you first connect. The credentials being sent over the wire will be encrypted and MITM attacks won't work if you forcing certificate verification.

const ActiveDirectory = require("activedirectory");
const ad = new ActiveDirectory({
    url: "ldaps://dc.domain.com",
    baseDN: "dc=domain,dc=com",
    username: "[email protected]",
    password: "password",
    tlsOptions: {
        ca: [fs.readFileSync("CA.crt")],
        rejectUnauthorized: true // Force Certificate Verification 
    }
});

[cjh-Ella]

Hi,

may i ask a stupid question? I'm running the application on a linux server. How can i get a CA and put it on the server then?

Thank you very much!

[HunterMitchell]

You need to use the CA certificate you created when setting up LDAPs / AD.

[Dinesh-AR]

Please excuse me if this is out of context. Is there any way to avoid hardcoding the password in the code? Can we have one method to which accepts encrypted or hashed password to connect to AD.