[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
dizzyd at jabber.org
Tue May 27 19:56:04 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday, May 27, 2003, at 13:23 America/Denver, Tijl Houtbeckers
> The "amount" we win with this is very small. It doesn't protect your
> own jabber account, and if you use the same password for another jabber
> account it doesn't protect that either. On top of that, any other
> program that uses the same mechanism is vonurable too. Or is it part of
> the plan that all non-jabber developers will recognize what a bad idea
> it is and never implement it?
Look, the idea here is to fix something that should have been fixed a
long time ago. This isn't rocket science. It is neither less, nor more
secure for authentication/registration than the current method -- but
it DOES provide A way to avoid storing a password in plaintext.
For those of you who are saying "it _just_ obscurity", consider that
it's important that we don't store plaintext passwords for the SAME
reason that *nix doesn't store plaintext passwords. Even if people know
the hash, it doesn't do them a whole lot of good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards