[jadmin] jabberd14 'crypt' password storage in postgressql
Matthias Wimmer
m at tthias.eu
Mon Jun 11 11:56:55 CDT 2007
Hi Oliver!
Oliver Block schrieb:
> A user who does not know that the password is stored in plain text, could use
> the same password than he uses for his email account.
>
> Everybody who knows his email address - for instance because the user is
> required to deliver it when registering - can know read his mails.
The only one that can access the passwords is the administrator of the
server. And if he really would want to access this users E-Mails that
way, he could also just disable hashed password storage.
> Actually, I don't understand - apart from 'not well thought out' - why one
> would not compare two md5 encrypted strings instead of two plain text
> strings.
Because you can only calculate the md5 encrypted password if you know
the password. Therefore to be able to calculate the hash, the client has
to send the user's password in plain. This is bad ...
Matthias
More information about the JAdmin
mailing list