[jdev] plaintext passwords hack
Simon Josefsson
simon at josefsson.org
Thu Dec 17 07:35:15 CST 2009
Peter Saint-Andre <stpeter at stpeter.im> writes:
> On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote:
>> I'm curious what the community makes of the recent news
>> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
>> given SASL's cleartext password storage? It seems like a monster breech.
>
> This topic is more appropriate for the operators at xmpp.org list, but here
> goes anyway...
>
> We've had these debates for years. And this is not tied to SASL, but if
> you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN
> over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to
> have hashed passwords.
If you don't store the hashed password for SCRAM, you need to burn CPU
time for every login to derive the SCRAM hash keys. That doesn't scale
well.
/Simon
More information about the JDev
mailing list