[JDEV] Account information storage, plaintext?
richard at dobson-i.net
Tue Sep 16 03:53:09 CDT 2003
> > > The use of a two way algorithm would still require the user do more
> > > than cat the file to find the password. Why should we make it as
> > > easy as possible for people (admins or not) to find out other
> > > people's passwords? If anything we should be taking every possible
> > > step to do exactly the opposite.
> > Because as already mentioned transports simply wont work if you cannot
> > obtain the original plaintext password, also current authentication
> > schemes will not work either, and as ive already said it makes it very
> > difficult to integrate jabber into an existing system if you cannot
> > get at the plaintext password.
> Please reread my statement. I referenced the use of a two way
> algorithm, not a one way. A two way algorithm would allow the
> transports and server access to the original plaintext password.
I did, I was reading the statement "Why should we make it as easy as
possible for people (admins or not) to find out other people's passwords?",
which I read as meaning that we should be using one way hashes and not two
> > > Simple because thousands of applications do it doesn't mean it's the
> > > correct thing to do.
> > Ofcouse it doesnt mean its the best thing to do in an ideal world, but
> > because we live in the real world a lot of people will want to
> > integrate jabber with those existing applications, we cannot simply
> > ignore their existance.
> And, what about using a two way algorithm would stop us from doing so?
Read my statement above, I was not talking about two way, I also read this
statement as meaning that we should be hashing all passwords and ignoring
the thousands of applications you think are doing things wrong.
More information about the JDev