[JDEV] Account information storage, plaintext?

Tijl Houtbeckers thoutbeckers at splendo.com
Fri Sep 12 17:50:26 CDT 2003

"Jamin W. Collins" <jcollins at asgardsrealm.net> wrote on 13-9-2003 
>On Fri, Sep 12, 2003 at 10:04:39PM +0100, Andrew Sayers wrote:
>> I can't speak for jabberd, but other popular programs (e.g. pppd,
>> fetchmail) store passwords in plaintext, readable only by a specified
>> user.  The theory is that if someone can get read access to files 
>> they aren't supposed to, they'll get your password one way or other 
>> anyway. 
>Understood, but in the examples provided the password is either stored
>on the user's machine or on the remote server being connected to.  In
>the case of Jabber transports the password is being stored on a third
>party system (the Jabber server), and the users probably don't realize

Well, I suppose you *could* resend the password in plain-text each time 
you log into a transport, rather than storing it on the server. That 
way a user with only read-acces to the filesystem on the server won't 
be able to steal it. But what kind of user on the server would have 
permission to read all files but not sniff network traffic? (maybe one 
used by a backup program or something). It might make things a little 
more secure one way (for example they won't end up in your backups 
either), but on the other way, sending your password in plaintext over 
the wire isn't that secure either. So you'd have to use SSL, wich can 
be a bit heavy on the server and only works if the link between the 
server and the transport isn't vonurable either. 

Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands

More information about the JDev mailing list