[JDEV] hashing of passwords in xml file

b h bobhumphrey22 at yahoo.com
Sat May 10 20:11:42 CDT 2003


I'm not an advanced developer, or an xml expert, so
please be patient with me.  But I have two

1. Is there any problem with storing a SHA-1 hash of
the password as opposed to plaintext in the users.xml
files?  Since I already have openssl on the system
(and have configured jabberd to use ssl encryption) I
think this should be easy to do.  I don't think this
should be a problem, although maybe a SHA-1 output
every now and then would conflict with XML syntax? 
ie. part of the hash having special characters that
are reserved in XML?  hmm, XML files are plaintext and
SHA-1 output is binary... maybe convert it to hex
first before storing (like the digest)....

2. If there isn't a problem with question 1, could
someone please point me to the files where I would
need to modify the source of jabberd in order to
implement this?

I still have reservations having plaintext user
passwords on the filesystem.  Even though I comment
out the <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
option, and use SSL for encryption, I would feel more
comfortable if putting a server on the DMZ with a
little more protection.  And from my understanding,
with 1.4.2 there is currently a need of keeping the
plaintext passwords available in the user.xml file.

any advice or comments much appreciated.


Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.

More information about the JDev mailing list