[JDEV] Account information storage, plaintext?

[Richard Dobson]

> > Only specific users (such as the user that
> > the server runs as) should have read access to these files. And of
> > course, the administrator is implicitly trusted.
> Should have :D
> I do trust most server admins but nothing can guarantee me that they
> administer their servers properly. If a Jabber server gets compromised a
> _lot_ of users will lose their passwords and a _lot_ of users are using
> the same password for close to everything. Yes, that's really stupid of
> them but that's not the point. IMO it is very undesirable that passwords
> are stored in plaintext, IMO we should get rid of that ASAP :D I know
> we'll have to live with plaintext passwords for quite some time to come
> but IMO it would be a Good Thing(tm) if clients/servers would default to
> storing hashed passwords.

This is entirely an implementation/admin/setup issue, some systems will
require plaintext passwords to be stored/accessable in order for them to
operate, e.g. where jabber is being integrated into an existing userbase
where multiple systems use a central core user database. As Robert says it
is all up to the server admin what they want to do on their server and how
they store passwords on it, if you dont like their policy then dont use
their server, its as simple as that.

Personally I dont think we should be forcing particular ideas of how an
admin should have their server setup on people, and certainly not forcing
those ideas as the only option available to them, all we should be doing is
providing suggestions and recommendations.

Richard