[Operators] Suspicion of Jabbim services being hacked
dave at cridland.net
Fri Dec 19 20:40:12 UTC 2014
On 19 December 2014 at 20:18, Kevin Smith <kevin.smith at isode.com> wrote:
> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net> wrote:
> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
> >>>> Hi all,
> >>>> thought it would be interesting to the audience of this mailinglist.
> >>>> Best regards,
> >>> Another great example of why you should ditch DIGEST-MD5 and store your
> >>> passwords as SCRAM bits.
> >>> —Sam
> >> It feels like we should do something like the encryption push, but for
> >> non-plaintext passwords.
> > Do we have any statistics (e.g. on jabber.org) about what proportion of
> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
> > (though yes, PLAIN works well with hashed passwords, but should still be
> > avoided whenever possible)
> > That would be enlightening.
> While I can’t say anything about clients not supporting stuff, obviously,
> clients choosing DIGEST are four times more numerous than clients choosing
> SCRAM, six times more numerous than those choosing PLAIN, and a small
> number do 78 auth and CRAM-MD5.
So unlike the campaign about TLS, this one is really aimed primarily at the
clients, then. Probably one to discuss at the Summit?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Operators