[jdev] plaintext passwords hack
Jonathan Dickinson
jonathan at dickinsons.co.za
Thu Dec 17 09:48:14 CST 2009
Sorry for not conforming to the list standards, I am on my mobile.
Logins taking a long time is advantageous, remember we are not a primitive/chatty protocol like HTTP; so burning CPU cycles during a login is a VERY small problem; people often forget that we are not in the same realm of HTTP. The advantage mentioned is that: more time to verify a password = less brute operations per second = more time for an admin to notice.
-----Original Message-----
From: Simon Josefsson <simon at josefsson.org>
Sent: 17 December 2009 03:35 PM
To: Jabber/XMPP software development list <jdev at jabber.org>
Subject: Re: [jdev] plaintext passwords hack
Peter Saint-Andre <stpeter at stpeter.im> writes:
> On 12/16/09 9:03 AM, Simon Tennant (Buddycloud) wrote:
>> I'm curious what the community makes of the recent news
>> http://www.techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
>> given SASL's cleartext password storage? It seems like a monster breech.
>
> This topic is more appropriate for the operators at xmpp.org list, but here
> goes anyway...
>
> We've had these debates for years. And this is not tied to SASL, but if
> you want to offer multiple SASL mechanisms (DIGEST-MD5, SCRAM, PLAIN
> over TLS, CRAM-MD5, etc.), then I think it's difficult or impossible to
> have hashed passwords.
If you don't store the hashed password for SCRAM, you need to burn CPU
time for every login to derive the SCRAM hash keys. That doesn't scale
well.
/Simon
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: JDev-unsubscribe at jabber.org
_______________________________________________
More information about the JDev
mailing list