[JDEV] Account information storage, plaintext?
Tijl Houtbeckers
thoutbeckers at splendo.com
Fri Sep 12 17:50:26 CDT 2003
"Jamin W. Collins" <jcollins at asgardsrealm.net> wrote on 13-9-2003
0:14:28:
>
>On Fri, Sep 12, 2003 at 10:04:39PM +0100, Andrew Sayers wrote:
>>
>> I can't speak for jabberd, but other popular programs (e.g. pppd,
>> fetchmail) store passwords in plaintext, readable only by a specified
>> user. The theory is that if someone can get read access to files
>> they aren't supposed to, they'll get your password one way or other
>> anyway.
>
>Understood, but in the examples provided the password is either stored
>on the user's machine or on the remote server being connected to. In
>the case of Jabber transports the password is being stored on a third
>party system (the Jabber server), and the users probably don't realize
>this.
Well, I suppose you *could* resend the password in plain-text each time
you log into a transport, rather than storing it on the server. That
way a user with only read-acces to the filesystem on the server won't
be able to steal it. But what kind of user on the server would have
permission to read all files but not sniff network traffic? (maybe one
used by a backup program or something). It might make things a little
more secure one way (for example they won't end up in your backups
either), but on the other way, sending your password in plaintext over
the wire isn't that secure either. So you'd have to use SSL, wich can
be a bit heavy on the server and only works if the link between the
server and the transport isn't vonurable either.
--
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands
More information about the JDev
mailing list