[Standards-JIG] JEP-0077: In-Band Registration

Ian Paterson ian.paterson at clientside.co.uk
Fri Jul 21 17:52:32 UTC 2006


>> Clearly users cannot use the option for existing accounts unless the 
>> server allows them to change the password.
>
> Yes, now passwords must be stored plain, but even when this will become
> standarized (hashes) there is another issue. Chris Mullins pointed it
> out, it's Active Directory or some similar backend password storage.

Yes, Active Directory, LDAP etc are some of those "existing accounts" cases 
I mentioned.

Nobody is suggesting that hashed passwords become the standard way of 
logging-in. However, IMHO there should be a non-protocol standard to allow 
those clients that choose to implement this optional password hiding feature 
to be compatible with one another.

Piotr could you be comfortable with the followoing standard?
SHA256(JID+plainPassword)
Do you want to write the shortest-ever JEP?

- Ian




More information about the Standards mailing list