[jadmin] jabberd14 'crypt' password storage in postgressql
Tomasz Sterna
tomek at xiaoka.com
Tue Jun 12 15:19:51 CDT 2007
Dnia 02-06-2007, sob o godzinie 11:06 +0200, Thomas Merkel napisał(a):
> I think it can be a big security risk to store passwords in plaintext
> in the database.
Where is this paranoia coming from?
If you do not trust the administrator of the service, do not use the
service. He will get your password no matter how is it stored. The
server might just be tampered to store it before hash and compare.
If you are the administrator, the not clearly readable passwords gives
you just a false sense of "security". When your system is compromised,
you lost anyway.
You do not store hashes in /etc/passwd anymore, because hashes are
crackable. MD5 is brute-force dictionary based collidable in reasonable
time using off the shelf hardware.
--
Tomasz Sterna
Xiaoka Grp. http://www.xiaoka.com/
More information about the JAdmin
mailing list