[jdev] plaintext passwords hack
Alexander Holler
holler at ahsoftware.de
Fri Dec 18 10:03:53 CST 2009
Am 18.12.2009 16:42, schrieb Simon Josefsson:
>> Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5
>> the server has to hash the clear-text password with a value the client
>> provides.
>
> That is true for CRAM-MD5, but not for DIGEST-MD5 and SCRAM-MD5. With
> the latter two mechanisms, the server can store a hash and perform
> authentications without access to the password. For CRAM-MD5 this is
> not possible, and the server indeed needs to have access to the
> cleartext password for things to work.
Maybe I mixed those two. Anyway, using SASL the server has to feed SASL
with the clear-text password (at least this is my knowledge about the
SASL-API, which might be outdated or inaccurate).
Regards,
Alexander
More information about the JDev
mailing list