[jdev] MD5 auth problem
Ulrich Staudinger
us at activestocks.de
Thu May 25 04:42:54 CDT 2006
Norman Rasmussen schrieb:
> On 5/25/06, Ulrich Staudinger <us at activestocks.de> wrote:
>
>> > some sort of non-challenge md5? that would be just as secure as plain.
>> Actually i thought more about something like:
>> md5( md5(password) + sid )
>
>
> so, basically using the md5(password) as the plain password, you can
> use any sasl method after you've computed that - md5(x + sid) is just
> a weak sasl method, digest-md5 would do much better - and it's already
> implemented everywhere.
>
> If you're going to alter the client, just add a md5 hash function to
> the password when the user enters it, and use that as the jabber
> account password. Then you can do direct text matching with the value
> in the db, no matter which sasl method is chosen.
>
Right. I just would have like to have it standardized. But yes, you are
correct, simply altering a client should be very fine for a single
service. However, as community software usually stores passwords in md5,
most other communitys can't simply plug in a jabber server for the said
reasons.
Cheers,
Ulrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: us.vcf
Type: text/x-vcard
Size: 329 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20060525/b27097b6/attachment-0002.vcf>
More information about the JDev
mailing list