[JDEV] hashing of passwords in xml file

Daniel Chote daniel at chote.net
Sat May 10 21:02:33 CDT 2003

The reason why this wouldnt work, is that the password and the sessionid 
are put together and then hashed.   The hash is something that is 
different for every new connection.

b h wrote:

>I'm not an advanced developer, or an xml expert, so
>please be patient with me.  But I have two
>1. Is there any problem with storing a SHA-1 hash of
>the password as opposed to plaintext in the users.xml
>files?  Since I already have openssl on the system
>(and have configured jabberd to use ssl encryption) I
>think this should be easy to do.  I don't think this
>should be a problem, although maybe a SHA-1 output
>every now and then would conflict with XML syntax? 
>ie. part of the hash having special characters that
>are reserved in XML?  hmm, XML files are plaintext and
>SHA-1 output is binary... maybe convert it to hex
>first before storing (like the digest)....
>2. If there isn't a problem with question 1, could
>someone please point me to the files where I would
>need to modify the source of jabberd in order to
>implement this?
>I still have reservations having plaintext user
>passwords on the filesystem.  Even though I comment
>out the <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
>option, and use SSL for encryption, I would feel more
>comfortable if putting a server on the DMZ with a
>little more protection.  And from my understanding,
>with 1.4.2 there is currently a need of keeping the
>plaintext passwords available in the user.xml file.
>any advice or comments much appreciated.
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo.
>jdev mailing list
>jdev at jabber.org

Daniel Chote
Developer/Designer and typical drunk!
email/jabber: daniel at chote.net

More information about the JDev mailing list