[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
matt at jivesoftware.com
Tue May 27 17:38:09 UTC 2003
> Given that you know sha1(password):
> You can't just login using a random client now, but writing a custom
> one to use the known sha1(password) is not difficult.
Yep, I agree with others that it's really not any more secure. We're
still doing the exact same thing we were before, except now you've
killed the ability to do plaintext password recovery and other similar
The only way to securely use hashes is:
1) Store hashed password in db.
2) User sends plaintext password (over SSL for example) to login.
3) Server computes hash and compares it to value stored in db.
Since we can't ensure that everyone use SSL for connections, I think the
current hash algorithm is the best one. You can always use database
level encryption, etc, to try to increase security on that side of the
More information about the Standards