[JDEV] hashing of passwords in xml file

maqi at jabberstudio.org maqi at jabberstudio.org
Sun May 11 04:57:18 CDT 2003

On Sat, 10 May 2003, b h wrote:

> 1. Is there any problem with storing a SHA-1 hash of
> the password as opposed to plaintext in the users.xml
> files?

This would make digest auth impossible.

As an overview:
- digest auth (= secure authentification over non-encrypted connection)
needs password stored in plain text on the server
- plain text auth could work with hashed passwords on the server (which
currently is not implemented, it also uses plain text passwords on the
- 0k auth provides secure authentification and hashed password storage but
has some other security problems (see standards-jig mailing list archive)

> I still have reservations having plaintext user
> passwords on the filesystem.  Even though I comment
> out the <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
> option

That's currently no good idea as only mod_auth_plain handles password
change requests. mod_auth_digest should also handle them but does not,
meaning you break password changes if you comment out mod_auth_plain. I
submitted a jabberd patch that fixes that and an update for the admin
guide but both did not make it online yet.


More information about the JDev mailing list