[jdev] plaintext passwords hack
Simon Tennant (Buddycloud)
simon at buddycloud.com
Wed Dec 16 10:03:49 CST 2009
I'm curious what the community makes of the recent news
http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
given SASL's cleartext password storage? It seems like a monster breech.
Are we, as XMPP network operators, headed to a similar compromise as
larger projects get build around XMPP?
Are there any XMPP network operators (apart from Google) that have
turned off all but the SASL PLAIN with TLS? How did your migration go
or did you start out with salted and hashed passwords from day 1?
I am also curious about what measures your are taking outside of SASL
realm to keep your users' data secure?
Also, if you do not hash passwords in the DB, how do you go about
informing your users that you are keeping their passwords in cleartext?
S.
--
Simon Tennant
.de mobile: +49 17 8545 0880
.uk mobile: +44 78 5335 6047
.uk office: +44 20 7043 6756
.de office: +49 89 4209 55854
email and xmpp: simon at buddycloud.com
http://buddycloud.com
More information about the JDev
mailing list