[jadmin] Re: jabberd14 'crypt' password storage in postgressql
Matthias Wimmer
m at tthias.eu
Thu Jun 14 09:55:58 CDT 2007
Hi Thomas!
Thomas Charron schrieb:
> I have to slightly disagree here. MANY systems will have access to
> the password in a processed form, and work off of that.
Just that many websites do it that way does not make it more secure.
That login forms on websites transmit password in plain to the server is
just a matter of usability decissions, as login forms all together. From
the security point of view doing real HTTP based digest authentication
should be prefered.
> This provides
> a one way encryption of the password itself, which allows you to
> present a secret, but not require that secret to be stored, merely the
> result of an operation ON the secret.
While it has been already told in detail why this has been done in the
past but it is not the modern opinion on how to do authentication right,
I want to note one thing that I now read wrong in this thread several times:
What you are talking about is *not* *encrypting* the password, but
*hashing* the password.
An encryption function is invertable if you know the key, while an
unbroken hash function cannot be inverted.
(En)crypting and hashing something is really a very big difference and
should not be mixed up.
Matthias
--
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
More information about the JAdmin
mailing list