[jdev] plaintext passwords hack
Alexander Holler
holler at ahsoftware.de
Fri Dec 18 09:07:08 CST 2009
Am 18.12.2009 14:58, schrieb Alexander Holler:
> Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5
> the server has to hash the clear-text password with a value the client
> provides. So the server needs the clear-text password. And if the server
> is able to get the clear-text password, everyone with the same rights on
> the server can retrieve the clear-text passwords too.
The solution to this problem are public key algorithms. So using
(enforcing) client-side SSL certificates would do the trick.
Maybe a XEP which defines how a client sends his (public part of the)
certificate during the registration process would be a practical solution.
Regards,
Alexander
More information about the JDev
mailing list