[jdev] plaintext passwords hack
Peter Saint-Andre
stpeter at stpeter.im
Wed Dec 16 17:56:59 CST 2009
On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote:
> I'm curious what the community makes of the recent news
> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
> given SASL's cleartext password storage? It seems like a monster breech.
This topic is more appropriate for the operators at xmpp.org list, but here
goes anyway...
We've had these debates for years. And this is not tied to SASL, but if
you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN
over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to
have hashed passwords.
And even if you do have hashed passwords, if someone breaks into your
machine then it's not that much work to de-hash them all. It just looks
scarier if they're in cleartext to start with.
> Are we, as XMPP network operators, headed to a similar compromise as
> larger projects get build around XMPP?
Everyone is a target for network compromise.
> Are there any XMPP network operators (apart from Google) that have
> turned off all but the SASL PLAIN with TLS? How did your migration go
> or did you start out with salted and hashed passwords from day 1?
We have not done so at jabber.org and do not plan to do so.
> I am also curious about what measures your are taking outside of SASL
> realm to keep your users' data secure?
Investigating passwordless login via user keys.
> Also, if you do not hash passwords in the DB, how do you go about
> informing your users that you are keeping their passwords in cleartext?
http://www.jabber.org/service-policy/#passwords
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20091216/80882ed0/attachment.bin>
More information about the JDev
mailing list