[jadmin] jabberd14 'crypt' password storage in postgressql
Oliver Block
lists at block-online.eu
Mon Jun 11 11:26:36 CDT 2007
Am Sonntag, 3. Juni 2007 16:36 schrieb Neil Stevens:
> Thomas Merkel wrote:
> > I think it can be a big security risk to store passwords in plaintext in
> > the database.
>
> What exactly is the risk?
A user who does not know that the password is stored in plain text, could use
the same password than he uses for his email account.
Everybody who knows his email address - for instance because the user is
required to deliver it when registering - can know read his mails.
This is one scenario which may occur.
Actually, I don't understand - apart from 'not well thought out' - why one
would not compare two md5 encrypted strings instead of two plain text
strings.
Best Regards,
Oliver
More information about the JAdmin
mailing list