[JDEV] Passwords, zero-K and storage
Iain Shigeoka
iainshigeoka at yahoo.com
Wed Jun 20 10:22:51 CDT 2001
At 12:54 AM 6/20/2001 +0100, you wrote:
> > > If someone really wants passwords to be
>secure, they need to use a secure
> > > method of account registration,
>authentication, and renewal in the case of 0k.
> >
> > Yes, this seems to be the weakspot of 0k in
>general, the user-initiated
> > password setting and changing...
>
>I've never been too hot on the 0k stuff, but
>surely setting new passwords could be sequenced as
>requested in the initial jabber:iq:auth query when
>sent, therefore going in a hashed way rather than
>as plain-text, keeping the plain-text off the
>wire?
Yeah. There are a ton of ways to do it. Most of this is just a matter of
deciding on a standard method so that all the servers and clients can
interoperate properly. For instance, if you just look at 0k from the docs
page, you can't actually implement it even though the server and some
clients are using it today... If you want to add it to your client, you
pretty much have to reverse engineer the protocol or read the server source. ;(
On the positive side, once the Foundation is setup and running, and the
standards process gets into swing, I think we'll be seeing a very positive
standards effort (heck I'm planning on putting some serious work in it) so
this should only be a temporary situation.
-iain
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the JDev
mailing list