[jdev] MD5 auth problem
Norman Rasmussen
norman at rasmussen.co.za
Thu May 25 04:38:42 CDT 2006
On 5/25/06, Ulrich Staudinger <us at activestocks.de> wrote:
> > some sort of non-challenge md5? that would be just as secure as plain.
> Actually i thought more about something like:
> md5( md5(password) + sid )
so, basically using the md5(password) as the plain password, you can
use any sasl method after you've computed that - md5(x + sid) is just
a weak sasl method, digest-md5 would do much better - and it's already
implemented everywhere.
If you're going to alter the client, just add a md5 hash function to
the password when the user enters it, and use that as the jabber
account password. Then you can do direct text matching with the value
in the db, no matter which sasl method is chosen.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list