[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Tijl Houtbeckers thoutbeckers at splendo.com
Mon Jul 17 20:47:05 UTC 2006


On Mon, 17 Jul 2006 22:21:48 +0200, Peter Saint-Andre <stpeter at jabber.org>  
wrote:

>That way, even if a hacker gains
> control of my machine, they'll have only the hash -- which makes it
> trivial for the hacker to log into my Jabber account of course, but at
> least the hacker won't be able to discover the plaintext (which I might
> have used for other accounts or whatever).

Again, this only works if you're the only one doing it. If all jabber  
servers do it, I can hack all your jabber acount. If email people start  
doing it, I can get your email. I think at one point in the edigest thread  
someone even came with the idea that by that time you can just start  
hashing it twice (!)

And again, the reverse is also true. Many other systems store the hash on  
the server, under the impression that this is safer, they require a plain  
text password after all to log in. Now I can do what was near impossible  
before, take that hash and log into your jabber account, because of the  
"improved" security.





More information about the Standards mailing list