[JDEV] Account information storage, plaintext?

Robert Norris rob at cataclysm.cx
Fri Sep 12 23:49:07 CDT 2003

> Does anyone else see it as a concern that the Jabber server (1.4.2
> release) and popular transports (aim-t, jit, msn-t, and yahoo-t) save
> user account information (user name and password) in plaintext for
> anyone with read access on the Jabber server to see?

Transports are an interesting issue - in order to work the way they do,
they need to have your password. Either that, or you need to register
with them each time.

The Jabber server itself is a different story. As far as I'm concerned,
its entirely reasonable for the server to store its passwords in
plaintext, where appropriate. Only specific users (such as the user that
the server runs as) should have read access to these files. And of
course, the administrator is implicitly trusted.


Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20030913/b871820e/attachment-0002.pgp>

More information about the JDev mailing list