[JDEV] Account information storage, plaintext?
Tijl Houtbeckers
thoutbeckers at splendo.com
Tue Sep 16 13:49:47 CDT 2003
"Michael Brown" <michael at aurora.gen.nz> wrote on 16-9-2003 13:27:57:
>3) Some people on the list - myself included - cannot understand why a
>simple *two way* encryption method isn't employed so that, at the very
>least, the passwords aren't as easily human readable/recognisable. (If
>there is a good reason, please explain this!)
The only thing 2 way encryption will give you is a false sense of
security. From a security point of view this adds *nothing*. However,
some admins might consider it "secure" since it has the word
"encryption" in it, and not pay attention to filepermissions. This will
not make Jabber any more secure from a security standpoint, but you
might *feel* more secure about it.
Anyway, if you still want it, it shouldn't be that hard to write a
patch for either, you can just XOR whatever you write to the disk, then
XOR it again when you read it.
If you want *real* security in wich you do not have to trust the admin
with your passwords and where passwords will only be exposed during
registration, as said before SASL can do that. If you don't even want
your password to be exposed during registration, it's possible if you
adapt jabber:iq:register for it.
As for the transports, as already said, in most cases it's only
possible if you adapt the clients to assit in the authentication
process.
--
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands
More information about the JDev
mailing list