[Standards-JIG] Re: Re: Re: JEP-0077: In-Band Registration

Piotr Szturmaj gacek999 at tlen.pl
Fri Jul 21 14:13:32 UTC 2006

> It doesn't matter if all clients use exactly the same trick for all 
> servers as long as the JID (and "xmpp:") are used as a salt.
> The client I develop offers users the option to convert their plain 
> password to SHA256(JID+plainPassword) immediately after they type it. If 
> this option is specified then the resulting hash is always used instead of 
> a plaintext password (for creating accounts, login etc). The feature is 
> 100% transparent to servers.
> Clearly users cannot use the option for existing accounts unless the 
> server allows them to change the password.

I see, we have the same thinking :)

> The client has a feature that copies the 64-hex-char hash so the user may 
> paste it into the password field of another client that does not support 
> the password hash option.

This works, but it isn't very comfortable. Something standarized is a

> Piotr Szturmaj is not the only one thinking this is a worthwhile security 
> measure (see the paper Peter highlighted: 
> http://crypto.stanford.edu/PwdHash/pwdhash.pdf). And as Piotr pointed out, 
> even clients that use SASL login require users to supply a password. If 
> several clients provided a *standard* optional way of hashing the 
> password, then it would be much easier for people to use multiple clients 
> with enhanced security.

Yes, now passwords must be stored plain, but even when this will become
standarized (hashes) there is another issue. Chris Mullins pointed it
out, it's Active Directory or some similar backend password storage. 

More information about the Standards mailing list