[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Matt Tucker matt at jivesoftware.com
Tue May 27 17:38:09 UTC 2003


Casey,

> Given that you know sha1(password):
> You can't just login using a random client now, but writing a custom
> one to use the known sha1(password) is not difficult.

Yep, I agree with others that it's really not any more secure. We're 
still doing the exact same thing we were before, except now you've 
killed the ability to do plaintext password recovery and other similar 
features.

The only way to securely use hashes is:

  1) Store hashed password in db.
  2) User sends plaintext password (over SSL for example) to login.
  3) Server computes hash and compares it to value stored in db.

Since we can't ensure that everyone use SSL for connections, I think the 
current hash algorithm is the best one. You can always use database 
level encryption, etc, to try to increase security on that side of the 
equation.

Regards,
Matt




More information about the Standards mailing list