[JDEV] Account information storage, plaintext?
Richard Dobson
richard at dobson-i.net
Mon Sep 15 16:48:54 CDT 2003
> > As others have explained the transport passwords have to be available
> > in plaintext for the transports to work. However that does not mean
> > that you have to store them in plain text. A small modification to
> > xdb_sql or xdb_file can allow you to encrypt/decrypt passwords but
> > this has to be a two way algorithm instead of a one way hash.
>
> The use of a two way algorithm would still require the user do more than
> cat the file to find the password. Why should we make it as easy as
> possible for people (admins or not) to find out other people's
> passwords? If anything we should be taking every possible step to do
> exactly the opposite.
Because as already mentioned transports simply wont work if you cannot
obtain the original plaintext password, also current authentication schemes
will not work either, and as ive already said it makes it very difficult to
integrate jabber into an existing system if you cannot get at the plaintext
password.
> > btw: you will find thousands of web applications that store usernames
> > and passwords in plaintext.
>
> Simple because thousands of applications do it doesn't mean it's the
> correct thing to do.
Ofcouse it doesnt mean its the best thing to do in an ideal world, but
because we live in the real world a lot of people will want to integrate
jabber with those existing applications, we cannot simply ignore their
existance.
Richard
More information about the JDev
mailing list