[jdev] MD5 auth problem
Norman Rasmussen
norman at rasmussen.co.za
Thu May 25 05:07:50 CDT 2006
On 5/25/06, Ulrich Staudinger <us at activestocks.de> wrote:
> Right. I just would have like to have it standardized. But yes, you are
> correct, simply altering a client should be very fine for a single
> service.
Just provide a tiny md5 calculator for the users :-) Tell them they
need to run their password via the tool to generate the jabber
password :-P
> However, as community software usually stores passwords in md5,
> most other communitys can't simply plug in a jabber server for the said
> reasons.
mmm, sucks. There's no good reason to store passwords as *unsalted*
md5 these days. There's a good reason to use some sort of salt.
username:realm: seems like a good salt to use, but it does require
that _all_ forums you want to plugin to implement it.
The best suggestion is to use plain combined with tls/ssl (which is
probably a good idea anyways). If you're using any sort of external
auth (ldap, pam) then you have to use plain anyways.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list