[JDEV] Account information storage, plaintext?

[Richard Dobson]

> > > The use of a two way algorithm would still require the user do more
> > > than cat the file to find the password.  Why should we make it as
> > > easy as possible for people (admins or not) to find out other
> > > people's passwords?  If anything we should be taking every possible
> > > step to do exactly the opposite.
> >
> > Because as already mentioned transports simply wont work if you cannot
> > obtain the original plaintext password, also current authentication
> > schemes will not work either, and as ive already said it makes it very
> > difficult to integrate jabber into an existing system if you cannot
> > get at the plaintext password.
>
> Please reread my statement.  I referenced the use of a two way
> algorithm, not a one way.  A two way algorithm would allow the
> transports and server access to the original plaintext password.

I did, I was reading the statement "Why should we make it as easy as
possible for people (admins or not) to find out other people's passwords?",
which I read as meaning that we should be using one way hashes and not two
way encryption.

> > > Simple because thousands of applications do it doesn't mean it's the
> > > correct thing to do.
> >
> > Ofcouse it doesnt mean its the best thing to do in an ideal world, but
> > because we live in the real world a lot of people will want to
> > integrate jabber with those existing applications, we cannot simply
> > ignore their existance.
>
> And, what about using a two way algorithm would stop us from doing so?

Read my statement above, I was not talking about two way, I also read this
statement as meaning that we should be hashing all passwords and ignoring
the thousands of applications you think are doing things wrong.

Richard