[jadmin] Re: jabberd14 'crypt' password storage in postgressql
Norman Rasmussen
norman at rasmussen.co.za
Sat Jun 2 14:33:10 CDT 2007
you can store:
H( { username-value, ":", realm-value, ":", passwd }
that way the password is not in plain text, and the stored value can
be used for DIGEST-MD5 authentication, so there's never a plaintext
password transferred on the wire.
On 6/2/07, Magnus Henoch <mange at freemail.hu> wrote:
> Thomas Merkel <drscream at cyber-tec.org> writes:
>
> > I think it can be a big security risk to store passwords in plaintext in
> > the database.
>
> Of course, not storing the passwords in plaintext is also a security
> risk, as the passwords must be sent in plaintext when a client is
> authenticating. Even if the connection is encrypted, it is vulnerable
> to man-in-the-middle attacks (if the client doesn't check the server's
> certificate, or if the certificate is stolen but not the database,
> etc).
>
> Is there any widely accepted conclusion on this?
>
> --
> Magnus
> JID: legoscia at jabber.cd.chalmers.se
>
> _______________________________________________
> JAdmin mailing list
> JAdmin at jabber.org
> http://mail.jabber.org/mailman/listinfo/jadmin
> FAQ: http://www.jabber.org/about/jadminfaq.shtml
> _______________________________________________
>
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JAdmin
mailing list