[JDEV] Account information storage, plaintext?
Tijl Houtbeckers
thoutbeckers at splendo.com
Fri Sep 12 15:46:50 CDT 2003
"Jamin W. Collins" <jcollins at asgardsrealm.net> wrote on 12-9-2003
19:49:23:
>
>Does anyone else see it as a concern that the Jabber server (1.4.2
>release) and popular transports (aim-t, jit, msn-t, and yahoo-t) save
>user account information (user name and password) in plaintext for
>anyone with read access on the Jabber server to see?
>From the last discussion on this subject, it turns out with SASL's
digest-MD5 method (so with Jabberd2 as well I suppose?) it is possible
to store passwords in secure hash form. Registration with
jabber:iq:register will still be done in plaintext, till it is adapted
for this mechanism.
But even then, I wouldn't give anyone read acces to your jabber files
that shouldn't really have it.
As for transports, since most networks currently require acces to
plaintext passwords to do authentication with them there is only one
alternative, mapping the authenitcation to Jabber and let the clients
handle it. That would mean however that for every forgein network you
want to use the client would have to implement that authentication
process. Wich on most networks is also the most frequently changed
feature. For example for MSN first would have had to implement SHA1
authentication in your messenger, but now you'd have to tunnel SSL over
your Jabber stream. I can imagine most client authors would like it
better if you just restrict read-acces on your server ;)
--
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands
More information about the JDev
mailing list