[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Tijl Houtbeckers thoutbeckers at splendo.com
Tue May 27 17:18:32 UTC 2003


Casey Crabb <crabbkw at nafai.dyndns.org> wrote on 27-5-2003 19:12:22:
>
>
>I don't think this is any more secure than just sha1(StreamID +
>password). What happens is that sha1(password) is
>password-equivalent.
>
>At some point sha1(password) has to travel over the line; at this
>point it can be sniffed. Or, if you have access to the server's spool
>you can just read it out of there.
>
>Given that you know sha1(password):
>You can't just login using a random client now, but writing a custom
>one to use the known sha1(password) is not difficult.

Well, then maybe we should send the sha1 of the sha1 of the sha1. ;)

>
>Does this make sense; am I missing something?

I don't you're missing something there, I was just typing the same kind 
of reply. The only thing "enhanced" about it, is that is you use the 
same password outside of this account for different things you can't 
steal it anymore. Unless ofcourse, that other application also uses the 
same "enhanced" method, for example, another Jabber account. 

-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands




More information about the Standards mailing list