[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Dave Smith dizzyd at jabber.org
Tue May 27 19:56:04 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tuesday, May 27, 2003, at 13:23 America/Denver, Tijl Houtbeckers 
wrote:

> The "amount" we win with this is very small. It doesn't protect your
> own jabber account, and if you use the same password for another jabber
> account it doesn't protect that either. On top of that, any other
> program that uses the same mechanism is vonurable too. Or is it part of
> the plan that all non-jabber developers will recognize what a bad idea
> it is and never implement it?

Ouch.

Look, the idea here is to fix something that should have been fixed a 
long time ago. This isn't rocket science. It is neither less, nor more 
secure for authentication/registration than the current method -- but 
it DOES provide A way to avoid storing a password in plaintext.

For those of you who are saying "it _just_ obscurity", consider that 
it's important that we don't store plaintext passwords for the SAME 
reason that *nix doesn't store plaintext passwords. Even if people know 
the hash, it doesn't do them a whole lot of good.

Diz


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+08LUYNE3chVHHsMRAvWcAJ99pKaQZPOLdAx3OlilGJwwFDMf7gCfWPAP
gMd28whmHxzwm/rFnI8EiT0=
=wyWa
-----END PGP SIGNATURE-----




More information about the Standards mailing list