[Standards-JIG] JEP-0077: In-Band Registration
Peter Saint-Andre
stpeter at jabber.org
Mon Jul 17 10:52:39 CDT 2006
Piotr Szturmaj wrote:
> Hi,
>
> JEP-0077 says that passwords are sent plain. Why not hash them and store
> hashes only? Plain text password is a big lack of security, any person who
> have database access could read user's passwords. Also client application
> must store plain/encrypted password which can be readed anyway since it
> isn't one way encryption like hash.
Sending the password in plain text is not insecure if the channel is
encrypted (SSL/TLS) and that's what the JEP recommends.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20060717/ae0e835b/smime.bin
More information about the Standards-JIG
mailing list