[JDEV] Account information storage, plaintext?
Raditha Dissanayake
jabber at raditha.com
Mon Sep 15 08:37:53 CDT 2003
Hi,
As others have explained the transport passwords have to be available
in plaintext for the transports to work. However that does not mean that
you have to store them in plain text. A small modification to xdb_sql or
xdb_file can allow you to encrypt/decrypt passwords but this has to be a
two way algorithm instead of a one way hash.
I can see so many people loading their keyboards to shoot back saying a
two way algorithm is almost as bad as plain text :-)) Well one way
hashes are also going to be pretty useless somday when quantum computers
arrive on the scene.
btw: you will find thousands of web applications that store usernames
and passwords in plaintext.
Bart van Bragt wrote:
>> Only specific users (such as the user that
>> the server runs as) should have read access to these files. And of
>> course, the administrator is implicitly trusted.
>
> Should have :D
> I do trust most server admins but nothing can guarantee me that they
> administer their servers properly. If a Jabber server gets compromised
> a _lot_ of users will lose their passwords and a _lot_ of users are
> using the same password for close to everything. Yes, that's really
> stupid of them but that's not the point. IMO it is very undesirable
> that passwords are stored in plaintext, IMO we should get rid of that
> ASAP :D I know we'll have to live with plaintext passwords for quite
> some time to come but IMO it would be a Good Thing(tm) if
> clients/servers would default to storing hashed passwords.
>
> Bart
>
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
--
http://www.radinks.com/upload
Drag and Drop File Uploader.
More information about the JDev
mailing list