[jdev] plaintext passwords hack

Simon Tennant (Buddycloud) simon at buddycloud.com
Wed Dec 16 10:03:49 CST 2009

I'm curious what the community makes of the recent news 
given SASL's cleartext password storage?  It seems like a monster breech.

Are we, as XMPP network operators, headed to a similar compromise as 
larger projects get build around XMPP?

Are there any XMPP network operators (apart from Google) that have 
turned off all but the SASL PLAIN with TLS?  How did your migration go 
or did you start out with salted and hashed passwords from day 1?

I am also curious about what measures your are  taking outside of SASL 
realm to keep your users' data secure?

Also, if you do not hash passwords in the DB, how do you go about 
informing your users that you are keeping their passwords in cleartext?


Simon Tennant

.de mobile: +49 17 8545 0880
.uk mobile: +44 78 5335 6047
.uk office: +44 20 7043 6756
.de office: +49 89 4209 55854

email and xmpp: simon at buddycloud.com

More information about the JDev mailing list