[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Peter Saint-Andre stpeter at jabber.org
Mon Jul 17 20:49:04 UTC 2006


Tijl Houtbeckers wrote:
> On Mon, 17 Jul 2006 22:21:48 +0200, Peter Saint-Andre
> <stpeter at jabber.org> wrote:
> 
>> That way, even if a hacker gains
>> control of my machine, they'll have only the hash -- which makes it
>> trivial for the hacker to log into my Jabber account of course, but at
>> least the hacker won't be able to discover the plaintext (which I might
>> have used for other accounts or whatever).
> 
> Again, this only works if you're the only one doing it. If all jabber
> servers do it, I can hack all your jabber acount. If email people start
> doing it, I can get your email. I think at one point in the edigest
> thread someone even came with the idea that by that time you can just
> start hashing it twice (!)

I think three times would be even safer! :-)

/psa


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060717/41ba9c69/attachment.bin>


More information about the Standards mailing list