[jadmin] jabberd14 'crypt' password storage in postgressql

[Tomasz Sterna]

Dnia 11-06-2007, pon o godzinie 19:54 +0200, Martel Valgoerad
napisał(a):
> Couldn't the hash be calculated on a client side? So only this hash
> would be sent over the wire and a server would just need to compare
> two hashes 

So now you just store plaintext password in DB and send it plaintext
over the wire. You just need to sniff it or get it from DB, and you're
in.
The fact that the password is a hash of something doesn't change
anything. You may have "strangely" looking password just by typing
randomly at the keyboard or using a password generator.


-- 
Tomasz Sterna
Xiaoka Grp.  http://www.xiaoka.com/