[jadmin] Re: jabberd14 'crypt' password storage in postgressql
Matthias Wimmer
m at tthias.eu
Sun Jun 3 17:20:39 CDT 2007
Hi Norman!
Norman Rasmussen schrieb:
> you can store:
>
> H( { username-value, ":", realm-value, ":", passwd }
>
> that way the password is not in plain text, and the stored value can
> be used for DIGEST-MD5 authentication, so there's never a plaintext
> password transferred on the wire.
Where the H( { username-value, ":", realm-value, ":", passwd } gets
effectively to be your plaintext password and you are storing them again.
The only goal you get here is that the plaintext password is usable for
a single service then. But you still then have a password in the DB,
that when stolen can be used to authenticate at the server.
With real password hashes you are not able to use them to authenticate
at any service.
Another problem with DIGEST-MD5-prehashed password is, that you are not
able to upgrade to a more secure mechanism, if you do not trust
DIGEST-MD5 anymore (which may happen soon, as MD5 is more and more
questionable).
Keep your passwords secure and don't rely on the false sense of security
of hashed password storage.
Matthias
--
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
More information about the JAdmin
mailing list