[JDEV] Account information storage, plaintext?
Perry Lorier
perry at coders.net
Tue Sep 16 17:40:35 CDT 2003
>
>
>>4) It is acknowledged that a) the server will need to translated/send
>>these passwords in plain text, b) integration with other apps may
>>require password *stored* in plain text. (But please explain if there
>>is a good reason why this should be the default)
>>
>>
>
>Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best auth
>mechanisms we have to date) require both the client and the server to
>have access to the plaintext password. Thats enough reason for me.
>
>
Agreed, there are technical reasons for having passwords kept in plaintext.
However
* Jabber 1.x at least sends the server administrator a copy of the
plain text password when the user registers with the server (if the
admin is setup to recieve information)
* The transport passwords could be encrypted with the "main" jabber
password as the encryption key, so if you get a transport password it's
useless without the jabberd password (on the other hand, getting the
jabberd password is reasonably straight forward, if they are in plain text)
More information about the JDev
mailing list