[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]

Kevin Smith kevin at kismith.co.uk
Tue Sep 11 16:30:11 UTC 2007


On 11 Sep 2007, at 17:20, Ian Paterson wrote:
> Even where TLS is available, SASL PLAIN requires server operators  
> to keep copies of all users' passwords. This is a serious (and  
> often unnecessary) security weakness.

I'm not sure that's true; the server could hash the password still,  
both in storage and at the end of the wire. It doesn't help against a  
compromised server that's still accepting connections, but the  
passwords don't need to be stored plaintext afaics.

/k





More information about the Standards mailing list