[Standards-JIG] JEP-0077: In-Band Registration

Peter Saint-Andre stpeter at jabber.org
Mon Jul 17 15:52:39 UTC 2006


Piotr Szturmaj wrote:
> Hi,
> 
> JEP-0077 says that passwords are sent plain. Why not hash them and store 
> hashes only? Plain text password is a big lack of security, any person who 
> have database access could read user's passwords. Also client application 
> must store plain/encrypted password which can be readed anyway since it 
> isn't one way encryption like hash.

Sending the password in plain text is not insecure if the channel is
encrypted (SSL/TLS) and that's what the JEP recommends.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060717/ae0e835b/attachment.bin>


More information about the Standards mailing list